Two pillars of the tech world, Salesforce and CrowdStrike, have disclosed separate hacking incidents tied to the same notorious group, Scattered Lapsus$ Hunters, in a development that underscores vulnerabilities even at the highest levels of cybersecurity. The breaches, revealed this week, involve attempts to steal internal data and customer information, sending ripples through enterprise software and security sectors.

Salesforce alerted customers that hackers may have accessed their data via a breach in the customer support app Gainsight, a key tool for service operations. Meanwhile, CrowdStrike fired a ‘suspicious insider’ accused of leaking internal screenshots to the same hacking collective, as reported by The Information and TechCrunch.

Origins of the Scattered Lapsus$ Threat

The Scattered Lapsus$ Hunters group has a history of high-profile attacks, evolving from the original Lapsus$ collective known for social engineering and extortion. In October 2025, the group claimed to have stolen nearly 1 billion records from Salesforce customers, including data from FedEx, Qantas, and TransUnion, according to Reuters. This latest campaign escalates their focus on SaaS platforms.

CrowdStrike’s incident stemmed from an insider who shared sensitive internal information, prompting the company’s swift termination of the employee. ‘Crowdstrike and Salesforce both said this week that they are investigating incidents where hackers attempted to steal internal data, and a hacking group known as Scattered Lapsus$ Hunters has publicly claimed responsibility for both breaches,’ noted The Information.

Gainsight Breach Exposes Salesforce Customers

Salesforce’s alert specified that the intrusion into Gainsight, now part of their ecosystem, allowed potential access to customer Salesforce data. This follows a pattern: In August 2025, hackers used phone scams to breach Salesforce accounts at Google and Adidas, as detailed by Malwarebytes. Google later reported data theft from 200 companies post-Gainsight breach, per TechCrunch.

The Gainsight vector highlights risks in third-party apps integrated with core CRM systems. Salesforce customers were urged to review connected apps, echoing advice from Salesforce Ben, which tracked ShinyHunters’ earlier Salesforce customer hacks—a separate but related threat actor.

CrowdStrike’s Insider Betrayal

CrowdStrike denied a full network compromise but acted decisively against the insider. ‘Cybersecurity giant CrowdStrike has fired a “suspicious insider” who allegedly fed company information to the notorious Scattered Lapsus$ Hunters hacking collective,’ reported Techbuzz. Leaked screenshots showed internal tools, raising questions about detection in elite security firms.

This incident contrasts with CrowdStrike’s outward strength; despite partnerships like their September 2025 AI security tie-up with Salesforce (CrowdStrike press release), internal leaks expose human factors. Posts on X from CrowdStrike emphasize cloud protection, but this breach tests their narrative.

Pattern of SaaS Extortion

Scattered Lapsus$ Hunters’ tactics blend social engineering, insider recruitment, and extortion. Their October leaks of millions of records from Salesforce hacks were covered by SecurityWeek. Ransomware ties emerged in analyses like Cloud Protection, linking attacks to British retailer ransomware waves.

Industry insiders note the group’s agility: They exploit misconfigurations in apps like Gainsight, then pivot to data theft. CrowdStrike’s Falcon platform, touted for stopping such threats, faced irony here via an insider.

Broader Implications for Enterprise Security

These linked incidents signal a maturing threat to SaaS ecosystems. Salesforce’s vast customer base—millions of records exposed—amplifies risk. CrowdStrike’s breach undermines trust in cybersecurity vendors, especially post their 2024 global outage.

Regulators may scrutinize: EU data laws and U.S. SEC disclosures loom. Companies are auditing connected apps, as recommended by Salesforce Ben.

Response Strategies and Future Risks

Salesforce and CrowdStrike are investigating, with no confirmed data exfiltration at CrowdStrike yet. Customers should enable MFA, revoke suspicious apps, and monitor logs. CrowdStrike’s recent Falcon Data Protection launch aims at runtime data safeguards.

The Scattered Lapsus$ claim on X platforms boasts of more extortion, per TechCrunch. This duo of breaches foreshadows intensified SaaS targeting in 2026.

Lessons from the Frontlines

For CISOs, this underscores hybrid threats: external hacks plus insiders. CrowdStrike’s firing highlights monitoring needs, while Salesforce’s Gainsight issue stresses supply chain security. Joint defenses, like their AI partnership, may evolve into breach-response protocols.