,

CrowdStrike Fires Insider Who Shared Screens Externally

the exploit blog logo
The Exploit: Penetration Testing Insights From The Frontlines
Posted on December 1, 2025
CrowdStrike Fires Insider Who Shared Screens and Auth Cookies Externally

Written by Andrew Trexler

A hacker group claimed to have gained access to CrowdStrike’s internal systems, showing screenshots to verify their access. While they claimed to have gained access by leveraging information from a separate breach, CrowdStrike fired a “suspicious insider” who shared pictures of their computer screen externally and has announced that their systems were never compromised. While the attackers claimed to have received SSO authentication cookies from the insider, CrowdStrike says that they had already discovered the insider and removed all access by that time.

While many breaches come from stolen credentials or phishing attacks, criminal gangs will also sometimes work with insiders to gain access to internal resources. This underscores the myriad of ways attackers use to gain access to systems and information and how organizations must be vigilant to prevent and catch such threats. CrowdStrike has provided the discovered information to law enforcement agencies.

Andrew Trexler

Andrew Trexler
Andrew graduated from the University of Pittsburgh with a degree in Information Science where he focused on networking and security. He continued his education by obtaining the Offensive Security Certified Professional (OSCP) and the eLearnSecurity Junior Penetration Tester (eJPT) certifications. When not participating in capture the flag events, Andrew works as a pyrotechnic operator setting up and shooting firework shows in the Pittsburgh area.

Search The Exploit Blog

Blog Categories

Stay up to date with the latest in penetration testing

Name(Required)
Newsletter(Required)
Do you wish to join our newsletter? We send out emails once a month that cover the latest in cybersecurity news. We do not sell your information to other parties.