bleepingcomputer.com
By Sergiu Gatlan
November 21, 2025

American cybersecurity firm CrowdStrike has confirmed that an insider shared screenshots taken on internal systems with hackers after they were leaked on Telegram by the Scattered Lapsus$ Hunters threat actors.

However, the company noted that its systems were not breached as a result of this incident and that customers' data was not compromised.

"We identified and terminated a suspicious insider last month following an internal investigation that determined he shared pictures of his computer screen externally," a CrowdStrike spokesperson told BleepingComputer today.

"Our systems were never compromised and customers remained protected throughout. We have turned the case over to relevant law enforcement agencies."

CrowdStrike did not specify the threat group responsible for the incident or the motivations of the malicious insider who shared screenshots.

However, this statement was provided in response to questions from BleepingComputer regarding screenshots of CrowdStrike systems that were recently posted on Telegram by members of the threat groups ShinyHunters, Scattered Spider, and Lapsus$.

ShinyHunters told BleepingComputer earlier today that they allegedly agreed to pay the insider $25,000 to provide them with access to CrowdStrike's network.

The threat actors claimed they ultimately received SSO authentication cookies from the insider, but by then, the suspected insider had already been detected by CrowdStrike, which had shut down his network access.

The extortion group added that they also attempted to purchase CrowdStrike reports on ShinyHunters and Scattered Spider, but did not receive them.

BleepingComputer contacted CrowdStrike again to confirm if this information is accurate and will update the story if we receive additional information.

The Scattered Lapsus$ Hunters cybercrime collective
These groups, now collectively calling themselves "Scattered Lapsus$ Hunters," have previously launched a data-leak site to extort dozens of companies impacted by a massive wave of Salesforce breaches.

Scattered Lapsus$ Hunters have been targeting Salesforce customers in voice phishing attacks since the start of the year, breaching companies such as Google, Cisco, Allianz Life, Farmers Insurance, Qantas, Adidas, ​​​​​​Workday, as well as LVMH subsidiaries, including Dior, Louis Vuitton, and Tiffany & Co.

Companies they attempted to extort include high-profile brands and organizations, such as Google, Cisco, Toyota, Instacart, Cartier, Adidas, Sake Fifth Avenue, Air France & KLM, FedEx, Disney/Hulu, Home Depot, Marriott, Gap, McDonald's, Walgreens, Transunion, HBO MAX, UPS, Chanel, and IKEA.

Scattered Lapsus$ Hunters also claimed responsibility for the Jaguar Land Rover (JLR) breach, stealing sensitive data and significantly disrupting operations, resulting in damages of over £196 million ($220 million) in the last quarter.

As BleepingComputer reported this week, the ShinyHunters and Scattered Spider extortion groups are switching to a new ransomware-as-a-service platform named ShinySp1d3r, after previously using other ransomware gangs' encryptors in attacks, including ALPHV/BlackCat, RansomHub, Qilin, and DragonForce.

This Thursday, ShinyHunters also claimed a new wave of data theft attacks that allegedly impacted Salesforce instances belonging to over 280 companies. In Telegram messages today, they said the list of breached companies contains multiple high-profile names, including LinkedIn, GitLab, Atlassian, Thomson Reuters, Verizon, F5, SonicWall, DocuSign, and Malwarebytes.

As the threat actors told BleepingComputer yesterday, they compromised the Salesforce instances after breaching Gainsight using secrets stolen in the Salesloft drift breach.

Microsoft and CrowdStrike are teaming up to create alignment across our individual threat actor taxonomies to help security professionals connect insights faster.
In today’s cyberthreat landscape, even seconds of delay can mean the difference between stopping a cyberattack or falling victim to ransomware. One major cause of delayed response is understanding threat actor attribution, which is often slowed by inaccurate or incomplete data as well as inconsistencies in naming across platforms. This, in turn, can reduce confidence, complicate analysis, and delay response. As outlined in the National Institute of Standards and Technology’s (NIST) guidance on threat sharing (SP 800-1501), aligning how we describe and categorize cyberthreats can improve understanding, coordination, and overall security posture.

That’s why we are excited to announce that Microsoft and CrowdStrike are teaming up to create alignment across our individual threat actor taxonomies. By mapping where our knowledge of these actors align, we will provide security professionals with the ability to connect insights faster and make decisions with greater confidence.

Read about Microsoft and Crowdstrike’s joint threat actor taxonomy
Names are how we make sense of the threat landscape and organize insights into known or likely cyberattacker behaviors. At Microsoft, we’ve published our own threat actor naming taxonomy to help researchers and defenders identify, share, and act on our threat intelligence, which is informed by the 84 trillion threat signals that we process daily. But the same actor that Microsoft refers to as Midnight Blizzard might be referred to as Cozy Bear, APT29, or UNC2452 by another vendor. Our mutual customers are always looking for clarity. Aligning the known commonalities among these actor names directly with peers helps to provide greater clarity and gives defenders a clearer path to action.

Introducing a collaborative reference guide to threat actors
Microsoft and CrowdStrike are publishing the first version of our joint threat actor mapping. It includes:

A list of common actors tracked by Microsoft and CrowdStrike mapped by their respective taxonomies.
Corresponding aliases from each group’s taxonomy.
This reference guide serves as a starting point, a way to translate across naming systems so defenders can work faster and more efficiently, especially in environments where insights from multiple vendors are in play. This reference guide helps to:

Improve confidence in threat actor identification.
Streamline correlation across platforms and reports.
Accelerate defender action in the face of active cyberthreats.
This effort is not about creating a single naming standard. Rather, it’s meant to help our customers and the broader security community align intelligence more easily, respond faster, and stay ahead of threat actors.

A phishing campaign is using CrowdStrike recruitment branding to deliver malware disguised as a fake application. Learn more.

CrowdStrike says it has revamped several testing, validation, and update rollout processes to prevent a repeat of the embarrassing July outage that caused widespread disruption on Windows systems around the world.

Existing low-level access for security solutions will undergo a rework

CrowdStrike President Michael Sentonas appears at DEF CON's annual Pwnie Awards to accept the 'award' because 'we got this horribly wrong [and] it's super important to own it.'

Delta CEO Ed Bastian said the company plans to seek compensation from Microsoft and CrowdStrike.

CrowdStrike (CRWD.O), opens new tab has been sued by shareholders who said the cybersecurity company defrauded them by concealing how its inadequate software testing could cause the July 19 global outage that crashed more than 8 million computers.
In a proposed class action filed on Tuesday night in the Austin, Texas federal court, shareholders said they learned that CrowdStrike's assurances about its technology were materially false and misleading when a flawed software update disrupted airlines, banks, hospitals and emergency lines around the world.

Just after midnight Eastern Time on July 19, 2024, the enterprise cybersecurity company CrowdStrike YOLOed a software update to millions of Windows machines. Or as they put it:

On July 19, 2024 at 04:09 UTC, as part of ongoing operations, CrowdStrike released a sensor configuration update to Windows systems.

That sensor configuration update caused the largest IT outage in history.

In this blog post, we examine the recent CrowdStrike outage and provide a technical overview of the root cause. We also explain why security products use kernel-mode drivers today and the safety measures Windows provides for third-party solutions. In addition, we share how customers and security vendors can better leverage the integrated security capabilities of Windows for increased security and reliability. Lastly, we provide a look into how Windows will enhance extensibility for future security products.

Microsoft has started responding with changes it wants to see in the wake of the CrowdStrike botched update. It looks like Windows kernel access is on the agenda.

CrowdStrike has blamed a bug in its own test software for the mass-crash-event it caused last week.

A Wednesday update to its remediation guide added a preliminary post incident review (PIR) that offers the antivirus maker's view of how it brought down 8.5 million Windows boxes.

Learn more about a Word document CrowdStrike Intelligence identified containing macros that download an unidentified stealer now tracked as Daolpu.

Shares of CrowdStrike plunged 13% on Monday, extending their loss-making streak, after Wall Street analysts downgraded the stock on concerns over the financial fallout from a global cyber outage last week.

On July 19, 2024 at 04:09 UTC, as part of ongoing operations, CrowdStrike released a sensor configuration update to Windows systems. Sensor configuration updates are an ongoing part of the protection mechanisms of the Falcon platform. This configuration update triggered a logic error resulting in a system crash and blue screen (BSOD) on impacted systems.

The sensor configuration update that caused the system crash was remediated on Friday, July 19, 2024 05:27 UTC.

This issue is not the result of or related to a cyberattack.

On July 18, CrowdStrike, an independent cybersecurity company, released a software update that began impacting IT systems globally. Although this was not a Microsoft incident, given it impacts our ecosystem, we want to provide an update on the steps we’ve taken with CrowdStrike and others to remediate and support our customers.

I want to sincerely apologize directly to all of you for today’s outage. All of CrowdStrike understands the gravity and impact of the situation. We quickly identified the issue and deployed a fix, allowing us to focus diligently on restoring customer systems as our highest priority.

The outage was caused by a defect found in a Falcon content update for Windows hosts. Mac and Linux hosts are not impacted. This was not a cyberattack.

Cascading and catastrophic IT outages have hit thousands of organizations worldwide after CrowdStrike issued a faulty update in its Falcon Sensor product that caused Windows operating systems to crash.

Businesses worldwide are experiencing outages, including Windows "blue screen of death" errors on their computers, in what has already become one of the

Read this blog on the anatomy of an ALPHA SPIDER ransomware attack to better understand how they operate and how to better protect your business.