A major cybersecurity firm has revealed it terminated an individual with internal access after an investigation determined the person sold sensitive information to a known hacking collective. The financially motivated threat actors, known as Scattered Lapsus$ Hunters, posted various screenshots to their public Telegram channel, which depicted images of the company’s internal dashboards and included a visible link to an Okta Single Sign-On (SSO) panel. The appearance of these images initially led the hacking group to falsely claim they had successfully breached the security company’s systems through a supply chain attack involving a third-party vendor.
The threat actors initially circulated a narrative claiming their access was achieved by exploiting a vulnerability within Gainsight, a common third-party vendor used for customer management services. This claim followed a week of activity where the same group boasted of compromising numerous Salesforce customers through their Gainsight integrations. In response to these reports of wider potential compromise, Salesforce subsequently disconnected all Gainsight-published applications from its platform as a precautionary measure, though the specific relationship between the CrowdStrike incident and the general Salesforce/Gainsight issues remains unclear.
In an official statement released to the press, the cybersecurity firm vehemently denied that any breach of its corporate network or core security systems had occurred. A company representative confirmed that the leak was instead the result of a deliberate act by a “suspicious insider,” whom they identified and terminated the previous month. The spokesperson clarified the nature of the breach, stating that the individual “shared pictures of his computer screen externally,” emphasizing that the company’s systems were never successfully compromised and that customer data and protection remained secure throughout the event.
The cybersecurity firm has since turned the entire case and the evidence gathered during its internal investigation over to relevant law enforcement agencies for further action. It is currently unknown whether the terminated insider was a formal employee, a third-party contractor, a consultant, or a business partner, though they clearly held authorized access to internal systems necessary to capture the displayed screenshots. The incident highlights the growing threat of financially motivated insiders providing initial access or intelligence to external hacking groups for profit.
The hacking group, Scattered Lapsus$ Hunters, reportedly claimed to have paid the internal source a sum of $25,000 for the leaked data, including purported access credentials and authentication cookies. This group has been particularly active recently, asserting responsibility for data theft campaigns targeting a wide range of organizations, including high-profile brands and other security companies, claiming to have amassed over a thousand victims among Salesforce customers alone. This latest incident demonstrates the continued risk posed by human factors in highly secure environments.
Reference:
