๐ November 24, 2025โ|โโฑ 5 min readโ|โ๐ Category: Insider Threats
CrowdStrike says it terminated an insider last month after confirming the individual shared screenshots of internal systems that later appeared on a Telegram channel under the Scattered Lapsus$ Hunters banner. The company reports no breach of its environment, no customer impact, and that the case has been handed to law enforcement.
Threat actors affiliated with ShinyHunters claim they offered the insider about $25,000 and received SSO cookies, but say the account was disabled before any meaningful use. They also boasted about trying to purchase internal reports related to their own operations. These are adversary assertions and remain unverified. The screenshots posted appear to show internal dashboards and links, including identity access points, which can be useful for recon even if they donโt grant direct access.
This incident lands amid broader claims tied to the same ecosystem, including Salesforce-targeting activity and a pivot toward a RaaS model theyโve branded themselves. The group has circulated long lists of alleged victims; some named organizations have pushed back. For example, DocuSign said it found no indication of compromise following its review and disabled Gainsight integrations as a precaution. Expect more denials or confirmations as investigations conclude.
The practical takeaway is straightforward. Treat internal UI context as sensitive, because it lowers the cost of targeted social engineering and token theft. Keep session lifetimes tight, bind tokens to device posture and network context, and alert on unusual cookie reuse or sudden MFA fatigue. Require managed devices for SSO access where feasible, apply step-up auth on risky signals, and move admin access to justโinโtime elevation with full audit trails. For SaaS, right-size OAuth scopes for every connected app, keep an inventory, and be ready to revoke tokens and temporarily disable low-confidence integrations quickly.
Written by: Logan Elliott
Cyberix
https://cyberixsafe.com
