Google has confirmed that threat actors successfully created a fraudulent account within its Law Enforcement Request System (LERS) platform, a critical portal used by authorized agencies to submit official data requests to the company. This incident, part of a broader and sophisticated campaign, highlights a persistent threat to official data channels that security professionals must understand. The breach demonstrates how attackers are targeting trusted systems to bypass standard legal procedures and gain access to sensitive user information.
This event is not isolated but connects to a larger pattern of attacks against corporate and government systems. Research indicates this specific law enforcement portal compromise is part of a dual-threat campaign that also includes the widespread exploitation of Salesforce CRM platforms at major corporations like Google, Adidas, and Cisco. The group UNC6040, also known as ShinyHunters, is central to these operations, utilizing social engineering to compromise internal systems and then escalating to public extortion attempts.
**TL;DR: Executive Summary**
* **Incident:** Unauthorized access to Google’s Law Enforcement Request System (LERS) to file fraudulent data requests.
* **Primary Actor:** UNC6040 (ShinyHunters) cybercrime group, some members of which were recently arrested.
* **Broader Campaign:** Part of a widespread attack targeting Salesforce CRM systems at multiple Fortune 500 companies.
* **Key Technique:** Social engineering, specifically voice phishing (vishing), to trick employees into authorizing malicious applications.
* **Data Impact:** Access to business contact information; no evidence of access to user passwords, financial data, or core Google systems.
* **Current Status:** Group has issued public threats against Google employees, demanding the cessation of an internal investigation.
Technical Analysis of the Attack Vectors
The compromise of Google’s LERS platform appears to follow a known pattern of attacking law enforcement data systems. According to historical analysis, attackers often gain initial access to these portals through compromised credentials obtained via infostealer malware or through insider threats [5]. Once inside, the threat actors forge Emergency Data Requests (EDRs), which are legal requests that falsely claim an urgent matter of life and death to bypass normal warrant procedures and quickly obtain user data from technology companies. A recent report from May 2025 detailed a phishing campaign where actors exploited Google services to send these fraudulent law enforcement requests, indicating this method remains active and effective [3].
Simultaneously, the same threat group, UNC6040, was executing a separate but parallel attack against corporate Salesforce environments. In the case of Google, this involved a sophisticated vishing attack where actors impersonated internal IT support. They tricked a Google employee into authorizing a malicious, disguised version of the official Salesforce Data Loader application, which was named “My Ticket Portal” to appear legitimate [2], [8]. This granted them access to an internal Salesforce CRM instance used by Google’s sales teams, exfiltrating business contact information for small and medium-sized business (SMB) clients.
Scope and Impact of the Data Breach
The data accessed in the Salesforce breach is a goldmine for highly targeted follow-on attacks. The compromised database contained company names, contact names, email addresses, phone numbers, and internal sales notes [2], [8]. This information allows for extremely convincing phishing and impersonation campaigns, as attackers can reference actual business communications and contexts. For security teams, the primary risk is that affected SMBs may receive fraudulent emails or calls that appear highly legitimate, attempting to trick them into sharing credentials or financial information.
Google has been clear that the breach was contained. The company confirmed that no user passwords, financial data, Gmail inbox contents, or other internal Google systems were accessed [2], [9]. The intrusion was isolated to the specific sales engagement database. Other confirmed victims of this Salesforce CRM attack wave include Adidas, Cisco, Allianz Life, and several LVMH brands such as Dior and Louis Vuitton [8]. The global jewelry retailer Pandora was also breached, confirming that names and email addresses were stolen and warning customers of potential phishing attempts.
Operational Security and Extortion Tactics
Following Google’s public confirmation of the breach, the situation escalated into a public extortion campaign. A group calling itself Scattered LapSus Hunters published a demand on Telegram, threatening to release additional stolen information if Google did not fire two named employees from its Threat Intelligence team and halt its internal investigation into the breach [2]. This introduces a new dimension of reputational warfare aimed at creating internal confusion and fear, a tactic increasingly used by cybercriminal groups to apply pressure beyond traditional ransom demands.
Despite these bold claims, the group had not provided evidence of possessing more data or having achieved access to core Google systems as of the reporting. This highlights the importance of verified threat intelligence and cautious incident response. In a significant development, four suspected members of the ShinyHunters group were arrested in France in June 2025 [8]. However, the group’s operations, often split into independent and adaptive cells, have continued, demonstrating the challenges of dismantling decentralized cybercrime networks.
Relevance and Remediation for Security Professionals
For security teams, this campaign underscores several critical points. The human factor remains the most significant vulnerability, as even organizations with advanced technical safeguards can be compromised through sophisticated vishing attacks. Technical defenses are only one part of a complete security posture. Continuous and rigorous employee training on social engineering, vishing, and cloud application security is paramount to counter this primary attack vector.
Strict access controls and authentication mechanisms are equally important. Enforcing Multi-Factor Authentication (MFA) universally and adhering to the principle of least privilege for all system access can limit the damage of a successful initial compromise. Furthermore, organizations must implement enhanced monitoring for suspicious activity, particularly unusual data access or export patterns within cloud platforms like Salesforce. Automated alerts on large data downloads or access from unfamiliar locations can provide early warning of a breach.
Having a tested incident response plan that includes procedures for dealing with public extortion attempts and threats is also crucial. As seen in this case, delays can increase risk. Organizations should also conduct thorough security reviews of third-party vendors and SaaS providers, strictly controlling and auditing OAuth-connected applications and API permissions to prevent misuse of trusted integrations.
The breach of law enforcement systems presents a unique challenge for blue teams, as the malicious requests appear to originate from legitimate official sources. Defending against this requires robust verification processes that go beyond the presented credentials, potentially involving out-of-band confirmation for emergency requests. Threat intelligence sharing about compromised law enforcement agency credentials can also help providers identify and reject fraudulent requests.
