Update November 21, 12:04 EST: Story updated with information from hackers.
American cybersecurity firm CrowdStrike has confirmed that an insider shared screenshots taken on internal systems with hackers after they were leaked on Telegram by the Scattered Lapsus$ Hunters threat actors.
However, the company noted that its systems were not breached as a result of this incident and that customers' data was not compromised.
"We identified and terminated a suspicious insider last month following an internal investigation that determined he shared pictures of his computer screen externally," a CrowdStrike spokesperson told BleepingComputer today.
"Our systems were never compromised and customers remained protected throughout. We have turned the case over to relevant law enforcement agencies."
CrowdStrike did not specify the threat group responsible for the incident or the motivations of the malicious insider who shared screenshots.
However, this statement was provided in response to questions from BleepingComputer regarding screenshots of CrowdStrike systems that were recently posted on Telegram by members of the threat groups ShinyHunters, Scattered Spider, and Lapsus$.
ShinyHunters told BleepingComputer earlier today that they allegedly agreed to pay the insider $25,000 to provide them with access to CrowdStrike's network.
The threat actors claimed they ultimately received SSO authentication cookies from the insider, but by then, the suspected insider had already been detected by CrowdStrike, which had shut down his network access.
The extortion group added that they also attempted to purchase CrowdStrike reports on ShinyHunters and Scattered Spider, but did not receive them.
BleepingComputer contacted CrowdStrike again to confirm if this information is accurate and will update the story if we receive additional information.
The Scattered Lapsus$ Hunters cybercrime collective
These groups, now collectively calling themselves "Scattered Lapsus$ Hunters," have previously launched a data-leak site to extort dozens of companies impacted by a massive wave of Salesforce breaches.
Scattered Lapsus$ Hunters have been targeting Salesforce customers in voice phishing attacks since the start of the year, breaching companies such as Google, Cisco, Allianz Life, Farmers Insurance, Qantas, Adidas, Workday, as well as LVMH subsidiaries, including Dior, Louis Vuitton, and Tiffany & Co.
Companies they attempted to extort include high-profile brands and organizations, such as Google, Cisco, Toyota, Instacart, Cartier, Adidas, Sake Fifth Avenue, Air France & KLM, FedEx, Disney/Hulu, Home Depot, Marriott, Gap, McDonald's, Walgreens, Transunion, HBO MAX, UPS, Chanel, and IKEA.
Scattered Lapsus$ Hunters also claimed responsibility for the Jaguar Land Rover (JLR) breach, stealing sensitive data and significantly disrupting operations, resulting in damages of over £196 million ($220 million) in the last quarter.
As BleepingComputer reported this week, the ShinyHunters and Scattered Spider extortion groups are switching to a new ransomware-as-a-service platform named ShinySp1d3r, after previously using other ransomware gangs' encryptors in attacks, including ALPHV/BlackCat, RansomHub, Qilin, and DragonForce.
This Thursday, ShinyHunters also claimed a new wave of data theft attacks that allegedly impacted Salesforce instances belonging to over 280 companies. In Telegram messages today, they said the list of breached companies contains multiple high-profile names, including LinkedIn, GitLab, Atlassian, Thomson Reuters, Verizon, F5, SonicWall, DocuSign, and Malwarebytes.
As the threat actors told BleepingComputer yesterday, they compromised the Salesforce instances after breaching Gainsight using secrets stolen in the Salesloft drift breach.
Update November 24, 08:39 EST: DocuSign reached out after the article was published to deny ShinyHunters' breach claims.
"We are aware of ShinyHunters’ claim. Following a comprehensive log analysis and internal investigation, we have no indication of a Docusign data compromise at this time," a DocuSign spokesperson told BleepingComputer in an emailed statement.
"Out of an abundance of caution, we have taken a number of measures including terminating all Gainsight integrations and containing related data flows. We continue to actively monitor for any suspicious activity and are partnering closely with Salesforce should additional information become available."
Break down IAM silos like Bitpanda, KnowBe4, and PathAI
Broken IAM isn't just an IT problem - the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.