Hackers Threaten Google With Data Leak Unless Company Fires Two Threat Intelligence Employees

Hacking collective calls for the suspension of Google's network investigations.

A hacking collective calling itself "Scattered LapSus Hunters," has threatened to leak Google databases unless the company sacks two senior employees. Whilst the group has yet to provide any evidence that it holds Google data, Google has recently disclosed a third-party security breach involving Salesforce.

A newly emerged hacking collective, self-styled as "Scattered LapSus Hunters," has threatened to leak Google databases unless the company sacks two senior employees.

In a message posted on Telegram, the group demanded the dismissal of two Google Threat Intelligence Group staffers, whilst also calling for the suspension of Google's network investigations.

"Scattered LapSus Hunters" claims to be an alliance of hackers combining members from three notorious cybercrime communities: Scattered Spider, LapSus, and ShinyHunters. These groups have a long history of high-profile cyberattacks and data breaches affecting major corporations and government agencies worldwide.

Despite the threatening message, the group has not provided any evidence proving that it has accessed or stolen Google's data. Moreover, no recent breaches of Google's internal systems have been reported.

However, Google recently disclosed a security breach involving its third-party provider Salesforce, which hackers exploited through impersonation and malware attacks.

Salesforce Breach And Rising Phishing Risks

In August 2025, Google revealed that members of the ShinyHunters group had tricked Salesforce support staff into providing access to business contact databases.

While this breach did not compromise Gmail passwords or sensitive user information, it did expose client names and business contacts, which cybercriminals have used to craft sophisticated phishing and vishing (voice phishing) campaigns.

Google responded by issuing a global security alert urging its 2.5 billion Gmail users to update their passwords, clarifying that no Google accounts were directly hacked. Still, the incident has fueled a significant increase in account hijacking attempts, with nearly 37 percent now tied to phishing and vishing efforts leveraging stolen contact data.

'Scattered LapSus Hunters' Channel

The hacking group's Telegram channel, which first appeared on Aug. 8, 2025, featured a mix of partial breach samples, vendor lists – boasting about successful hacks on companies like Victoria's Secret, Gucci, and Neiman Marcus.

The channel also claimed intrusions involving government agencies in the U.S., the UK, France, Brazil, and India.

In addition to data theft, the collective revealed work on a ransomware-as-a-service (RaaS) product called "ShinySpider" or "ShinySp1d3r," positioning it as faster and more adaptive than competitors like LockBit and DragonForce.

Brandon Tirado, director of threat research at cybersecurity firm ReliaQuest, told The Register that Scattered Spider appears to serve as an initial access broker for ShinyHunters within a larger cybercriminal collective known as "The Com."

ShinyHunters has been active since 2020, and is known for database breaches affecting Snowflake, Ticketmaster, and AT&T. Some members of the group have been arrested in the US and Paris.

Scattered Spider is a SIM-swapping and ransomware gang responsible for major hacks, including the 2024 Las Vegas casino digital heists.

Lapsus$ is a group of young hackers behind a 2021-2022 spree targeting BT, Nvidia, Microsoft, and other tech giants via phone-based social engineering, SIM swapping, and insider recruitment for credentials and multi-factor authentication codes.

Google's Ongoing Security Measures

Google has not publicly commented on the ultimatum regarding its employees. The threat, however, highlights the increased risks tech companies face from advanced, multifaceted cybercriminal alliances.

The company is advising vigilance among users to guard against sophisticated fraud attempts exploiting stolen business contact data.

This article originally appeared on our sister site Computing.