Google has confirmed that a threat actor calling itself Scattered Lapsus$ Hunters succeeded in creating a fraudulent account in its Law Enforcement Request System (LERS), an online portal meant exclusively for verified law enforcement agencies. Although no data was accessed and no requests were made using the account, the incident raises serious questions about how such access could be granted in the first place. Google has since disabled the fake account.
Sources: TechRadar, BleepingComputer
Key Takeaways
– Approval and verification flaws exposed: The fact that a non-law-enforcement group could create a LERS account suggests weaknesses in Google’s vetting or approval process for granting access to highly sensitive systems.
– No breach of data—but proof of concept: Google insists that although the fraudulent account was real, no data was accessed and no requests submitted, meaning the immediate damage was contained. But as a proof of concept, this kind of penetration is worrisome.
– Threat actor credibility and pattern: The group behind this, Scattered Lapsus$ Hunters, reportedly includes members from or is influenced by previously known cybercrime entities such as Lapsus$, ShinyHunters, and Scattered Spider. Their past breaches, especially against Salesforce / Salesloft and other corporate targets, make this intrusion more credible and concerning.
In-Depth
The recent confirmation by Google that a fraudulent account was created within its Law Enforcement Request System (LERS) by Scattered Lapsus$ Hunters is troubling, albeit mitigated by the fact that no data was accessed nor requests submitted. LERS is a system designed to channel only legally valid requests from law enforcement—subpoenas, warrants, court orders—through secure processes. It should have layers of identity verification, privilege checks, and other controls to prevent any actor from gaining illegitimate access.
How did this happen? The exact vector hasn’t been made fully public, but suspicions point toward either impersonation of law enforcement credentials, gaps in the approval workflow, or social engineering / documentation fraud. The group in question, Scattered Lapsus$ Hunters, has a history of sophisticated cybercrime: stealing data via Salesforce-related attacks, accessing authentication tokens, and infiltrating repositories. Their claim to have “gone dark” shortly before posting the LERS account screenshot adds psychological pressure and a bit of theater—but also suggests they are confident enough in their tradecraft to risk exposure.
Google’s response was prompt: disable the fraudulent account, confirm that no data was compromised, and likely initiate an internal review into how its verification protocols were bypassed (though public detail on the latter is scarce). From a conservative security perspective, even though there was no data loss this time, the risk profile raised by the incident is high—allowing any unauthorized actor into a law-enforcement-facing portal sets a precedent. Trust, once broken (or exposed to potential breakage), is hard to fully restore.
For users, agencies, and observers, the implications are twofold. First, it underscores the need for constant auditing of how access is granted—and the criteria for verifying that access. Two-factor authentication, stronger credential checks, background credential sharing between law enforcement and platform providers, and perhaps even periodic re-validation of approved access might become more important. Second, it suggests that threat actors are not resting—they continue to find low-visibility ways to test defences, even when full scale breaches are avoided.
Going forward, we ought to expect closer scrutiny from regulators around data protection, law enforcement oversight, and perhaps new standards or policies mandating stricter controls for platforms that host law enforcement-request portals. In the big picture, no harm this time doesn’t mean no risk ever; this incident may serve as a warning shot to both Google and other tech firms.