Google Confirms Cybercriminals Breached Law Enforcement Data Request System

Introduction

In a striking revelation, Google has confirmed that cybercriminals managed to gain access to its Law Enforcement Request System (LERS) — a highly sensitive platform designed for government agencies to legally request user data. Although Google insists that no data was accessed and no fraudulent requests were executed, the incident raises major questions about the security of digital platforms entrusted with sensitive law enforcement data. The case also highlights the growing sophistication of hacker groups that combine social engineering, technical exploits, and extortion tactics to target global corporations and institutions.

the Incident

Google’s LERS platform serves as a secure digital gateway for law enforcement agencies to submit, track, and manage legal data requests while maintaining compliance with official procedures. However, a cybercrime group known as “Scattered Lapsus\$ Hunters” claimed via Telegram that it had successfully breached this system, along with the FBI’s eCheck background check system.

According to Google, attackers created a fraudulent law enforcement account within LERS. This account has since been disabled, and Google emphasized that no legal data requests were made and no user information was stolen. Nevertheless, the potential consequences of such access could have been catastrophic — including exposure of sensitive user data, manipulation of investigations, fraudulent subpoenas, and a collapse of institutional trust.

In parallel, unauthorized access to the FBI’s eCheck platform would have posed even greater risks, including the theft of criminal records, identity fraud, falsification of background checks, and national security vulnerabilities. Both systems are foundational pillars of law enforcement operations and data integrity, making their compromise especially alarming.

The threat group’s tactics reveal a multi-stage intrusion strategy. They began by using social engineering, convincing employees to connect Salesforce Data Loader to corporate accounts, enabling large-scale data theft and extortion. Later, they infiltrated Salesloft’s GitHub repository, scanning code with Trufflehog to identify authentication tokens for Drift. These tokens were then exploited to steal further Salesforce data.

The ripple effect of these attacks has been severe, hitting major corporations such as Allianz Life, Google, Zscaler, Cloudflare, Qantas, and Palo Alto Networks. The attacks show how supply-chain vulnerabilities and employee-targeted manipulation can lead to data theft at the highest corporate levels.

On September 11, the group posted a cryptic “Goodbye” message on BreachForums[.]hn, claiming they would retreat into silence. Their note framed past actions as “vanity-driven” and hinted that judicial investigations would keep law enforcement occupied. They also suggested that their names may still surface in undisclosed data breaches involving multinational corporations and government agencies — a warning that cyber risks are far from over.

What Undercode Say:

The Google LERS breach underscores the fragility of trust in digital law enforcement systems. While Google downplayed the incident, the fact that attackers could create a fraudulent law enforcement account is deeply unsettling. Even without direct data theft, this event demonstrates that identity verification mechanisms within critical infrastructure can be exploited, which could lead to devastating scenarios in the future.

First, the attackers’ use of social engineering is significant. It proves that even the strongest encryption or advanced firewalls can be bypassed if employees are manipulated into granting access. In this case, linking Salesforce Data Loader to corporate accounts may sound like an innocent operational request — yet it became the entry point for massive data theft. The human element remains the weakest link in cybersecurity defense.

Second, the attackers leveraged GitHub and token scanning tools such as Trufflehog to discover hidden authentication credentials. This highlights the ongoing danger of code repositories leaking secrets, especially in cloud-based and collaborative environments. Organizations often underestimate the value of embedded tokens, but as seen here, they can serve as golden keys to corporate systems.

Third, the breach reveals a dangerous domino effect across industries. By infiltrating one platform, attackers accessed sensitive data from insurance, cloud security, airlines, and global enterprises. The interconnected nature of modern IT systems means that one breach can ripple across sectors, amplifying damages.

The group’s cryptic farewell message also deserves attention. On the surface, it may appear as if they are “retiring.” But historically, cybercriminal groups often rebrand, splinter, or go underground before resurfacing with new strategies. Their statement about future breach disclosures strongly implies that they have already compromised additional organizations and may be waiting for the right time to exploit or leak that data.

From a broader perspective, this case emphasizes the need for stronger verification systems for law enforcement portals. Google’s LERS — and any platform of similar sensitivity — should integrate multi-layered authentication, robust monitoring, and zero-trust principles. Moreover, there must be independent oversight to ensure companies aren’t solely responsible for guarding these high-value targets.

For corporations, the lesson is clear: cyber defense is no longer only about protecting one’s own perimeter. Vendors, third-party services, and even code repositories all represent possible infiltration routes. A holistic approach to cybersecurity is needed, combining employee awareness training, continuous monitoring, threat intelligence, and red-team testing to simulate attacks.

The FBI eCheck mention raises additional alarm. If attackers had actually gained access, the consequences would reach beyond corporate data theft — potentially threatening national security and undermining public trust in justice systems. Imagine fraudulent background checks being used to infiltrate government institutions or critical industries. Even without evidence that the FBI system was compromised, the very possibility highlights the geopolitical risks of cybercrime.

Finally, it’s crucial to note that cybercriminal groups thrive on reputation. By publicly announcing their “exit,” Scattered Lapsus\$ Hunters are shaping their legacy while keeping law enforcement guessing. Their tactics reflect a blend of psychological warfare and operational strategy — projecting power even when inactive. For defenders, the real challenge is not to be lulled into complacency by such statements.

In short, the Google LERS breach is a wake-up call for governments, corporations, and citizens alike: sensitive platforms are only as strong as their weakest human or technical link.

🔍 Fact Checker Results

✅ Google confirmed the creation of a fraudulent LERS account.
✅ No legal requests were submitted, and no user data was accessed.
❌ Claims of FBI eCheck compromise remain unverified by official sources.

📊 Prediction

Cybercriminal groups like Scattered Lapsus\$ Hunters are unlikely to remain silent for long. Instead, we can expect rebranded collectives or spin-offs to continue targeting high-value institutional systems such as law enforcement portals, financial databases, and healthcare networks. Future attacks will increasingly combine social engineering with automated code-scanning tools, making it harder for organizations to detect intrusions until too late. Governments and corporations that fail to adopt zero-trust architecture and stronger oversight mechanisms risk facing breaches far more damaging than the one Google narrowly avoided.