Google

Hackers from the group *Scattered Lapsus$ Hunters* (linked to Shiny Hunters, Scattered Spider, and Lapsus$) created a **fraudulent account** in Google’s **Law Enforcement Request System (LERS)**, a platform used by global law enforcement to submit data requests (subpoenas, court orders, emergency disclosures). While **no requests were made** and **no data was accessed**, the unauthorized account posed a severe risk of **impersonating law enforcement** to extract sensitive user data. The group also claimed breaches of the **FBI’s eCheck system** and taunted Google, Mandiant, and the FBI before announcing a temporary retreat. Their prior attacks involved **social engineering** (tricking employees into exposing Salesforce data via Data Loader) and **GitHub secret leaks** (exploiting exposed tokens in Salesloft’s repositories), affecting major corporations like Adidas, Cisco, and Louis Vuitton. Though Google disabled the fraudulent account, the incident highlights vulnerabilities in high-stakes systems used for legal data requests, risking **future abuse for unauthorized data extraction** or **reputational damage** due to the group’s public threats.

Source: https://www.bleepingcomputer.com/news/security/google-confirms-fraudulent-account-created-in-law-enforcement-portal/

TPRM report: https://www.rankiteo.com/company/googlecloudsecurity

"id": "goo4002740091625",
"linkid": "googlecloudsecurity",
"type": "Cyber Attack",
"date": "9/2025",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"

{'affected_entities': [{'customers_affected': 'None (no data accessed)',
                        'industry': 'Internet Services',
                        'location': 'Global (HQ: Mountain View, California, '
                                    'USA)',
                        'name': 'Google',
                        'size': 'Large (Alphabet Inc.)',
                        'type': 'Technology Company'},
                       {'industry': 'Law Enforcement',
                        'location': 'USA',
                        'name': 'FBI (Federal Bureau of Investigation)',
                        'size': 'Large',
                        'type': 'Government Agency'}],
 'attack_vector': ['Fraudulent Account Creation',
                   'Social Engineering',
                   'Credential Theft'],
 'customer_advisories': ['Public statement confirming no data was accessed'],
 'data_breach': {'data_exfiltration': 'No',
                 'number_of_records_exposed': '0',
                 'personally_identifiable_information': 'None',
                 'sensitivity_of_data': 'None',
                 'type_of_data_compromised': 'None'},
 'date_publicly_disclosed': '2025-09-15',
 'description': 'Google confirmed that hackers created a fraudulent account in '
                'its Law Enforcement Request System (LERS) platform, which law '
                'enforcement uses to submit official data requests. The '
                'account was disabled, and no requests were made or data '
                "accessed. The threat actor group 'Scattered Lapsus$ Hunters' "
                "claimed responsibility, also alleging access to the FBI's "
                'eCheck background check system. The group has ties to Shiny '
                'Hunters, Scattered Spider, and Lapsus$ extortion groups and '
                'has been involved in widespread data theft attacks targeting '
                'Salesforce and other major companies.',
 'impact': {'brand_reputation_impact': 'Moderate (public disclosure of '
                                       'fraudulent account creation)',
            'data_compromised': 'None (no data accessed)',
            'identity_theft_risk': 'Potential (if account had been used to '
                                   'impersonate law enforcement)',
            'operational_impact': 'Potential risk of impersonating law '
                                  'enforcement to access sensitive user data',
            'systems_affected': ['Google Law Enforcement Request System '
                                 '(LERS)']},
 'initial_access_broker': {'entry_point': 'Fraudulent account creation in LERS '
                                          'platform',
                           'high_value_targets': ['Google LERS',
                                                  'FBI eCheck system']},
 'investigation_status': 'Ongoing (Google and FBI involved)',
 'motivation': ['Data Theft',
                'Extortion',
                'Disruption',
                'Taunting Security Researchers'],
 'post_incident_analysis': {'root_causes': ['Insufficient authentication '
                                            'controls for account creation in '
                                            'LERS']},
 'recommendations': ['Strengthen authentication mechanisms for law enforcement '
                     'request systems',
                     'Monitor for fraudulent account creation attempts',
                     'Enhance social engineering defenses',
                     'Improve collaboration with law enforcement to track '
                     'threat actors'],
 'references': [{'date_accessed': '2025-09-15', 'source': 'BleepingComputer'}],
 'response': {'communication_strategy': ['Public statement to BleepingComputer',
                                         'Article title update to clarify no '
                                         'breach occurred'],
              'containment_measures': ['Disabled fraudulent account'],
              'incident_response_plan_activated': 'Yes (account disabled)',
              'law_enforcement_notified': 'Likely (FBI declined to comment)'},
 'threat_actor': ['Scattered Lapsus$ Hunters',
                  'Shiny Hunters',
                  'Scattered Spider',
                  'Lapsus$'],
 'title': "Fraudulent Account Created in Google's Law Enforcement Request "
          'System (LERS)',
 'type': ['Unauthorized Access', 'Social Engineering', 'Impersonation']}