In the second half of last month, CrowdStrike, one of the leading global cybersecurity vendors, confirmed an insider-driven data leak involving screenshots of internal systems. The images were later used by the cybercriminal coalition Scattered Lapsus$ Hunters to claim a broader compromise of CrowdStrike’s infrastructure, raising questions about insider risk and single sign-on (SSO) security.
What Actually Leaked: Internal Screenshots and Okta SSO Panel
The leaked screenshots surfaced in a Telegram channel associated with Scattered Lapsus$ Hunters, a loose alliance that includes members of Scattered Spider, LAPSUS$ and ShinyHunters. The images displayed internal dashboards, interface elements and links to corporate resources, including an Okta SSO panel used by employees to log into internal applications via single sign-on.
According to CrowdStrike, the incident was limited to visual exposure of the desktop belonging to an employee. The company states there was no technical compromise of its infrastructure, and customer systems and data remained unaffected. Nonetheless, publishing internal interfaces and URLs significantly supports attackers’ reconnaissance efforts, helping them map systems, identify technologies in use and plan future intrusion attempts.
Hackers’ Narrative: Paid Insider Access and SSO Cookie Theft
Alleged $25,000 Deal for Access to CrowdStrike
As reported by BleepingComputer, a person linked to ShinyHunters claimed the group paid an insider USD 25,000 in exchange for access to CrowdStrike’s network. The attacker asserted that the employee provided SSO authentication cookies—session tokens stored in the browser that allow a user to remain logged in without re-entering credentials.
SSO cookies are particularly valuable because they can enable session hijacking: if an attacker imports a valid session cookie into their own browser, they may bypass MFA and password prompts and act as the legitimate user until the session is terminated or invalidated.
Rapid Detection and Account Lockout
By the time the threat actors attempted to use the alleged SSO cookies, CrowdStrike reports it had already detected suspicious activity, disabled the employee account and launched an internal investigation. The company states that all unauthorized access attempts were blocked and that evidence has been handed over to law enforcement agencies.
Gainsight, Salesforce and Parallels with Previous OAuth Abuse
Scattered Lapsus$ Hunters attempted to link the CrowdStrike incident to a recent security issue involving Gainsight, a customer success platform deeply integrated with Salesforce. Salesforce had previously warned customers about a data exposure affecting certain publicly accessible Gainsight applications connected to its ecosystem.
The situation echoes the Salesloft incident in 2025, where attackers abused stolen OAuth tokens linked to a Drift chatbot integration, obtaining access to sensitive client data, including passwords, AWS keys and Snowflake tokens. OAuth tokens and SSO cookies serve similar purposes as “keys” to active sessions, making them high-value targets for attackers.
In this case, CrowdStrike has firmly denied any connection between its insider leak and the Gainsight exposure, emphasizing that this was a purely insider-based incident rather than a downstream effect of a third‑party integration compromise.
Scattered Lapsus$ Hunters Shift to Their Own Ransomware-as-a-Service
Against this backdrop, groups such as ShinyHunters and Scattered Spider, which form part of Scattered Lapsus$ Hunters, recently announced a move to their own Ransomware-as-a-Service (RaaS) platform branded ShinySp1d3r. This marks a strategic pivot away from relying on established ransomware families such as ALPHV/BlackCat, RansomHub, Qilin and DragonForce.
Under the RaaS model, operators develop and maintain the ransomware code and infrastructure, while affiliates conduct intrusions and share a percentage of ransom payments. Combining RaaS with paid insider access gives these groups a scalable and profitable model for targeting high‑value cloud, SaaS and cybersecurity providers.
Expert Analysis: Insider Threats, SSO Security and Zero Trust
Why Insiders Are Increasingly Central to Modern Attacks
Major industry reports, including the annual Verizon Data Breach Investigations Report (DBIR), consistently show that insiders are involved in a significant share of incidents, whether through malicious intent or negligence. Recent DBIR editions indicate that roughly around one in five breaches involve internal actors.
As perimeter defenses, EDR and NGAV solutions improve, threat actors increasingly look for the “weakest link”—the human factor. Buying access from employees, stealing session cookies or pressuring staff through social engineering often bypasses traditional technical safeguards.
Practical Measures to Reduce Insider and SSO Risk
Key measures for organizations include:
1. Strict access control and least privilege. Limit each user’s access to only what they need, and separate duties for high‑risk roles. This reduces the blast radius if an account is misused.
2. Monitoring and analytics for account behavior. Implement UEBA or similar tools to detect anomalous logins, unusual locations, device changes and abnormal use of privileged functions.
3. Hardening SSO sessions and cookies. Protect SSO cookies with device binding, short session lifetimes, secure and HttpOnly flags, re‑authentication for sensitive actions and rapid revocation when risk is detected.
4. Zero Trust architecture. Treat every connection—internal or external—as untrusted by default. Continuously validate identity, device health and context instead of relying solely on network location.
5. Structured insider risk programs. Conduct background checks, provide clear legal and policy frameworks, maintain anonymous reporting channels and foster a culture where collaboration with criminals is socially and professionally unacceptable.
The CrowdStrike case illustrates that even the most advanced cybersecurity vendors are not immune to insider threats and SSO-related risks. At the same time, the rapid detection of suspicious activity, swift account lockdown and lack of confirmed infrastructure compromise point to mature incident response capabilities. For organizations of any size, this incident is a strong signal to reassess insider risk management, harden SSO and OAuth integrations and invest in continuous monitoring of sessions and user behavior to make it significantly harder for attackers to monetize the human factor.
