CrowdStrike Fires Insider Who Shared Internal Screens with Hackers

CrowdStrike disclosed that it terminated a 'suspicious insider' who shared internal system screenshots with a hacking group but stressed that its own systems were not breached and customer data remained protected. According to reporting, screenshots of internal dashboards, including an Okta access panel, were later published on a Telegram channel associated with Scattered Lapsus$ Hunters. CrowdStrike clarified that these images came from the insider’s workstation, not from an external intrusion, mapping the event to insider-threat risk rather than perimeter compromise and aligning with MITRE ATT&CK T1082 (System Information Discovery) and insider frameworks. The company stated that its internal investigation detected the insider’s activities, after which it revoked access and handed the case over to law enforcement. ShinyHunters reportedly claimed they offered the insider $25,000 for deeper network access and attempted to purchase internal reports about themselves and Scattered Spider, but CrowdStrike said the insider did not provide such access and that its systems were never compromised. The episode occurs against the backdrop of ShinyHunters and related groups launching data-theft waves via Salesforce Gainsight connectors, but CrowdStrike emphasized that its situation was unrelated to those SaaS-focused campaigns. For customers and partners, the incident is a reminder that even leading security vendors face insider risks, and that screenshots or limited data leakage from interfaces can help adversaries map an organization’s environment. However, CrowdStrike’s early detection and decisive response—terminating access and engaging law enforcement—helped contain potential damage and reinforce trust that there was no backend breach or customer data exposure. Enterprises consuming security services and platforms should review their own insider-threat programs, focusing on privileged users who have visibility into dashboards, configurations and threat intelligence. Controls such as session monitoring, just-in-time access, strict approval workflows for administrative access and data loss prevention controls around screenshots and screen sharing for sensitive applications can reduce the likelihood and impact of similar insider-enabled leaks.