Cybercrime group accessed Google Law Enforcement Request System (LERS)
September 16, 2025
Google found threat actors created a fake account in its Law Enforcement Request System (LERS) and shut it down.
Google confirmed that threat actors gained access to its Law Enforcement Request System (LERS) platform by creating a fake account.
The Google Law Enforcement Request System (LERS) is a secure online portal for verified government agencies to submit and track legal requests for user data. It enables law enforcement to request information from Google while ensuring compliance with proper legal processes.
Recently, the cybercrime group “Scattered Lapsus$ Hunters” claimed on Telegram to have obtained access to Google’s LERS platform and the FBI’s eCheck background check system.
“We have identified that a fraudulent account was created in our system for law enforcement requests and have disabled the account. No requests were made with this fraudulent account, and no data was accessed.” Google told media outlets [1, 2]
The tech giant pointed out that the attackers made no requests using the fraudulent account, and it also stressed that no data was accessed. However, unauthorized access to Google’s LERS could expose user data, compromise investigations, enable fraudulent requests, and damage trust. Breaches of the FBI’s eCheck system risk theft of personal and criminal records, identity fraud, manipulation of background checks, and national security threats. Both systems’ sensitivity makes strong safeguards essential to protect privacy, data integrity, and institutional trust.
Threat actors first used social engineering to trick employees into linking Salesforce Data Loader to corporate accounts, enabling data theft and extortion. They later breached Salesloft’s GitHub repo, scanned code with Trufflehog, and found Drift authentication tokens, which they exploited to launch further Salesforce data theft attacks.
Salesforce data theft attacks impacted major customers like Allianz Life, Google, Zscaler, Cloudflare, Qantas, and Palo Alto Networks.
On September 11, the group posted a “Goodbye” message on BreachForums[.]hn to announce they were going in the dark
“Vanity is never but an ephemeral triumph. And manipulation of opinion is never anything else than vanity. This is why we have decided that silence will now be our strength.” the group wrote.
“You may see our names in new databreach disclosure reports from the tens of other multi billion dollar companies that have yet to disclose a breach, as well as some governmental agencies, including highly secured ones, that does not mean we are still active. Judicial decisions will keep on busy police officers, magistrates and journalists.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Google)
