CrowdStrike Fires Insider: Truth Behind the Gainsight Hack and Scattered Lapsus Claims
Cybersecurity titan CrowdStrike has taken decisive action against an internal threat, terminating a "suspicious insider" accused of leaking sensitive visual data to a notorious cybercriminal gang. The incident centers on a dispute between the company's security narrative and the claims of "Scattered Lapsus$ Hunters," a hacking collective that recently posted screenshots suggesting they had penetrated CrowdStrike’s internal systems. This event underscores the persistent danger of the "human element" in cybersecurity, proving that even firms dedicated to protecting others are not immune to internal vulnerabilities.
The drama unfolded on Telegram, where the hacking group published images purporting to show access to CrowdStrike’s internal resources, including an Okta dashboard used for employee authentication. The attackers alleged that this access was obtained through a supply chain compromise involving Gainsight, a customer relationship management platform widely used in the tech industry. By leveraging data supposedly stolen from Gainsight, the hackers claimed to have pivoted into CrowdStrike’s network, a classic lateral movement tactic often used to bypass perimeter defenses.
However, CrowdStrike has vehemently denied these claims of a technical breach. In a statement to the press, spokesperson Kevin Benacci clarified that their systems remained secure and no customer data was compromised. Instead, the company identified that the insider had "shared pictures of his computer screen externally," a violation of security protocols that led to their immediate termination. CrowdStrike has since handed the matter over to law enforcement, characterizing the incident as an isolated insider leak rather than a systemic failure of their defenses.
The group claiming responsibility, Scattered Lapsus$ Hunters, represents a formidable convergence of several dangerous threat actors, including members from ShinyHunters, Scattered Spider, and Lapsus$. These groups are infamous for their mastery of social engineering—manipulating employees into handing over credentials—rather than relying solely on technical exploits. Their collaboration signals a worrying trend of consolidation among cybercriminal entities, pooling resources and tactics to target high-value corporate networks and employee help desks.
This incident is part of a larger, aggressive campaign targeting the software supply chain. In October, the same collective claimed to have exfiltrated over one billion records from major corporations by exploiting vulnerabilities related to Salesforce data hosting. High-profile victims listed on their data leak site included Allianz Life, Qantas, Stellantis, and Workday. The recurring theme in these attacks is the exploitation of third-party integrations, such as Gainsight, to bypass the hardened perimeters of primary targets.
Ultimately, the CrowdStrike incident serves as a stark reminder that a company's security is only as strong as its most trusted employee. While the hackers likely failed to execute a full technical compromise of CrowdStrike’s platform, their ability to solicit internal screenshots proves that insider recruitment remains a viable vector for threat actors. For the cybersecurity industry, this reinforces the critical need for robust Zero Trust architectures and continuous monitoring of user behavior to detect anomalies before they escalate into full-blown data breaches.