CrowdStrike Fired a Mole. That Mole Fed Hackers Company Secrets
CrowdStrike just confirmed what security teams dread most. An insider went rogue.
The cybersecurity giant terminated an employee last month who allegedly leaked internal information to Scattered Lapsus$ Hunters. This hacking collective made headlines Thursday by posting screenshots that appeared to show access to CrowdStrike’s internal systems.
But here’s where the story gets messier. The hackers claim they breached CrowdStrike through a completely different company.
The Hackers’ Story Doesn’t Match CrowdStrike’s
Scattered Lapsus$ Hunters posted screenshots showing what looked like legitimate access to CrowdStrike dashboards. These images included employee portals and an Okta login screen used for internal apps.
Then the hackers made a bold claim. They said they compromised CrowdStrike by first breaking into Gainsight, a customer relationship management platform. According to their account, data stolen from Gainsight gave them the keys to CrowdStrike’s kingdom.
CrowdStrike calls that story “false.” Instead, the company says it caught the insider after he “shared pictures of his computer screen externally.” So the screenshots weren’t from a breach. They came from someone sitting at an actual CrowdStrike computer, taking photos of his own screen.
That’s a critical distinction. It means the hackers didn’t crack CrowdStrike’s defenses through technical wizardry. They recruited someone already inside.
Social Engineering Beats Security Tech
Scattered Lapsus$ Hunters specializes in exactly this approach. The collective combines members from notorious groups like ShinyHunters, Scattered Spider, and the original Lapsus$ crew.
Their playbook? Manipulate employees into handing over access. No sophisticated exploits needed. Just good old-fashioned social engineering.
And it works frighteningly well. In October, the same group claimed they stole over 1 billion records from companies using Salesforce. Their victim list reads like a Fortune 500 directory: Allianz Life, Qantas, Stellantis, TransUnion, Workday, and more.
These aren’t small targets. These are massive corporations with substantial security budgets. Yet human vulnerability keeps trumping technical defenses.
The Insider Threat Problem
CrowdStrike spokesperson Kevin Benacci insists “our systems were never compromised and customers remained protected throughout.” The company says it immediately terminated the insider’s access and contacted law enforcement.
But that raises uncomfortable questions. How did this person get recruited? How long were they passing information before getting caught? And what exactly did they share?
Plus, there’s the timing issue. CrowdStrike suffered massive reputational damage earlier this year when a faulty update crashed millions of Windows machines worldwide. Now they’re dealing with an insider threat. That’s a rough streak for a company selling cybersecurity solutions.
Moreover, the Gainsight connection adds another layer of concern. Even if CrowdStrike wasn’t breached through that vector, other companies might have been. Gainsight hasn’t responded to requests for comment about their alleged breach.
So we’re left with partial information and competing narratives. The hackers say they exploited third-party access. CrowdStrike says they caught a rogue employee. Both could be partially true.
Why This Matters Beyond CrowdStrike
Insider threats represent every company’s nightmare scenario. You can install the best firewalls, deploy sophisticated monitoring tools, and run endless security training. But if someone with legitimate access decides to turn malicious, detection becomes incredibly hard.
Traditional security tools look for external attacks. They scan for unusual network traffic, suspicious login attempts, and malware signatures. But when an authorized user with valid credentials accesses systems during normal business hours? That looks completely legitimate.
So the challenge becomes distinguishing between normal work activities and malicious behavior. CrowdStrike apparently succeeded by noticing the employee photographing his screen. But how many other insiders operate more carefully?
Furthermore, the social engineering angle keeps evolving. These hacking groups don’t just find random employees on LinkedIn. They research targets carefully. They identify people with financial troubles, personal grievances, or other vulnerabilities. Then they craft personalized approaches.
And the payoffs can be substantial. Screenshots of internal systems sell on dark web forums. Access credentials command premium prices. Corporate secrets have value to competitors. So motivated employees face real temptation.
The Gainsight Question Nobody’s Answering
Here’s what bothers me most. Gainsight manages customer data for Salesforce users. That means they hold information about customer relationships, interactions, and business processes for potentially thousands of companies.
If Scattered Lapsus$ Hunters really did breach Gainsight, the damage extends far beyond CrowdStrike. Every company using that platform becomes a potential target. Hackers could use stolen customer data to craft convincing phishing attacks, impersonate business partners, or plan targeted breaches.
Yet Gainsight remains silent. No security advisory. No breach notification. Just radio silence while hackers claim they ransacked the place.
That silence is deafening. Companies deserve to know if their customer data was compromised. Employees need warnings about potential phishing attacks using stolen information. Customers should understand the risks.
Instead, we’re left with hackers’ claims and one company’s denial. Meanwhile, the alleged insider faces potential criminal charges. And somewhere, other companies are probably discovering they’re on Scattered Lapsus$ Hunters’ victim list.
What Companies Should Do Right Now
First, audit who has access to what. Many organizations grant overly broad permissions that let employees see data they don’t actually need. Tighten those controls immediately.
Second, monitor for unusual behavior patterns. Employees suddenly accessing systems they rarely touch. Download spikes outside normal work hours. Screen capture tools running constantly. These can signal insider threats.
Third, implement zero-trust architecture. Even authenticated users shouldn’t get unlimited access. Verify every request, limit lateral movement, and assume breach mentality.
Finally, remember that technical controls only go so far. The human element remains the weakest link. So invest in security culture, not just security software. Make employees understand they’re targets. Teach them how social engineering works. Create reporting mechanisms for suspicious approaches.
Because the next breach probably won’t come from sophisticated malware. It’ll come from someone who already has the keys, deciding to use them maliciously.
CrowdStrike caught their insider. Your company might not be so lucky.
