CrowdStrike has fired an employee who the company labeled a “suspicious insider,” claiming that person had shared internal information with a high-profile hacker group. The company challenged the attackers’ account that a breach of a third party allowed deeper access, however, characterizing the incident as an insider-driven exposure that included screenshots shared externally.
The episode highlights a harsh reality confronting even the best security vendors: There’s simply nothing that can protect the strongest perimeter from one crime, committed by just one trusted user.
It also shines a light on the eroding walls between SaaS suppliers, customer success platforms, and core security operations—an ecosystem that adversaries are navigating with ever-increasing sophistication.
What CrowdStrike Says Happened in the Insider Incident
Based on the company’s version of events, the insider lost his or her access after an internal investigation found that he or she had shared images of a computer screen with others outside the organization. CrowdStrike dismissed accusations flying around hacker channels that its environment had been breached as part of a wider breach taking place at Gainsight, a customer relationship management provider used by Salesforce customers. The company described those claims as false and stressed that it had contained the incident by isolating the insider and examining other routes of access.
Although details are thin on the ground, screenshot-based leaks come with their own particular perils. They let you leak some sensitive tool configurations, internal dashboards, and queues of incidents or tickets; whereas the traditional flow was supposed to trade old PKMs (PDF/Office) files as proof.
The Gainsight Angle And The Scattered Lapsus$ Hunters
The hackers making the claims are associated with a group operating under the name Scattered Lapsus$ Hunters and are a loosely gathered band including members affiliated with ShinyHunters, Scattered Spider, and Lapsus$. These groups have become notorious for aggressive social engineering—SIM swaps, help desk impersonation, and MFA fatigue campaigns—to pry open corporate portals and contractor accounts.
In recent months, the collective has claimed large-scale thefts of records associated with organizations that use Salesforce-connected services, naming companies including Allianz Life, Qantas, Stellantis, TransUnion, and Workday on a leak site. The attackers reportedly leveraged an incident from Gainsight (and data found in that breach) to pivot themselves closer to CrowdStrike. CrowdStrike, however, maintains that the intrusion story is false and “the threat” source was a single employee sharing screen content externally—which suggests attackers may be expanding their impact by associating themselves with popular brands and high-profile supply chain incidents.
Insider Threats: The Numbers Behind Rising Risks
Industry data reveals that the insider problem continues to be rampant—and costly. For the past several years Verizon’s Data Breach Investigations Report has found that the human element constitutes a significant percentage of all breaches, and that an up-sized portion is waged by insiders rather than external adversaries. Independent research from Ponemon on insider threats has pegged the average annualized cost of insider incidents in the tens of millions for large organizations, with containment often lasting weeks to months. In its Cost of a Data Breach Report, IBM often notes longer dwell times and increased remediation costs when credentials (and trusted access) are misused.
The economics are brutal: a single insider with routine access can short-circuit layers and layers of technical defenses, and the resulting visibility for attackers—names, roles, network diagrams, live incident feeds—can power broader campaigns far beyond the initial victim.
Why Screenshots Still Fall Through the Cracks
Screen captures fall into an uncomfortable no-man’s-land of defense for companies. Most classic data loss prevention solutions are concerned with file moving, attaching to emails, and clipboard action. Internal console screenshots, on the other hand, can slip through classifiers and be hard to identify without reviewing more carefully—though they contain API keys or case numbers or escalation paths or even QR codes for MFA. In MITRE ATT&CK parlance, screen capture is an established collection technique that, by marrying with social engineering, can bootstrap towards more invasive access without triggering classic exfil alarms.
Organizations need to withstand this with layered controls: hardened admin workstations, watermarking and session recording in virtual desktops, always-on/JIT/least-privilege access, conditional access that is linked to device posture + behavioral analytics tuned against normal usage of collaboration tools.
Supplier risk management is also important, especially if support or customer success platforms come into contact with sensitive operational data.
What Action Will Customers Take Now to Reduce Risk?
Customers will want to know from the company what the insider could have accessed, shared, and whether any downstream systems or customer data was exposed. You’ll receive some asks for indicators of compromise, authentication logs, and conversations around privileged access management. Because of the attackers’ interest in targeting the broader Salesforce ecosystem, wise teams will review federated identities, SSO trust relationships, and third-party app permissions across CRM tooling.
CrowdStrike’s response playbook probably involves a clear-eyed root-cause postmortem, newly focused credential resets, enhanced session monitoring, and policy tweaks to limit the capture and external sharing of internal screens. For everyone else in the industry? The lesson has been both known and pressing: Protect that human layer with the same ferocity already devoted to endpoints and cloud infrastructure, because it’s increasingly clear that attackers want to continue probing at every seam between person and process, people and platform.
