Quick Summary

• Hackers calling themselves Scattered LapSus Hunters have demanded Google fire two employees or face leaks.
• The demand follows a Salesforce-related breach, not a direct Google hack.
• No Gmail or Cloud accounts were compromised, but phishing attempts are rising using stolen contact data.
• Google urges all Gmail users to reset passwords and enable 2FA.
• The threat shows a shift in hacker tactics—from stealing data to targeting people and influence.

A new hacker coalition issues demands after a recent security breach tied to Salesforce data

Hackers claiming to be part of a group called Scattered LapSus Hunters have issued a startling ultimatum to Google: fire two employees or risk having alleged internal records leaked online. The warning, reported by Newsweek and posted on Telegram, adds another layer of tension to Google’s ongoing battle with cybercriminal networks.

The hackers—who say they’re a mix of actors from groups such as Scattered Spider, LapSus, and ShinyHunters—want Google to stop its Threat Intelligence Group’s network probes and dismiss two named security professionals. At this stage, however, they have offered no proof that they possess sensitive Google data.

The threats come just weeks after Google confirmed that ShinyHunters accessed data from Salesforce, one of Google’s external service providers, through a phishing attack. While no Google customer accounts or Gmail data were directly compromised, the breach has fueled a surge in phishing and impersonation schemes aimed at everyday users.

Who Are the Scattered LapSus Hunters?

The group’s name suggests a loose alliance of known cybercriminal organisations:

• Scattered Spider: Infamous for targeting telecoms and tech firms.
• LapSus$: Responsible for high-profile breaches at Microsoft, Nvidia, and others.
• ShinyHunters: Known for massive data dumps on underground forums.

If their Telegram post is authentic, this new coalition reflects a trend: hackers pooling resources and branding themselves to magnify pressure on companies. It’s less about stealth and more about spectacle.

Did Hackers Really Breach Google?

So far, no evidence has surfaced that Google’s systems have been breached. Google confirmed in August that attackers infiltrated Salesforce data through a classic trick—posing as IT help desk staff to a Google partner, then planting malware.

Here’s what we know about the incident:

• The compromised Salesforce database contained business contact details—client names, business information, and internal references.
• No passwords or customer Gmail/Cloud data were exposed.
• Hackers have used the stolen contact information to launch phishing and vishing (voice phishing) campaigns.

Stat to note: Google reports that 37% of account hijacking attempts across its platforms now originate from phishing or vishing attacks.

This means while the breach didn’t directly touch Gmail accounts, millions of users could still face indirect risks from fake Google emails and scam calls.

Why Target Specific Google Employees?

Calling out individual employees—by name—is unusual, even in the world of ransomware and extortion. Analysts say it could serve multiple purposes:

• Intimidation: Targeting public-facing members of Google’s Threat Intelligence Group, which actively tracks hacker networks.
• Distraction: Shifting focus away from the fact that hackers haven’t shown evidence of breaching Google directly.
• Undermining trust: Suggesting insiders are responsible or that Google’s own staff could be “punished” for defending against cyberattacks.

For Google, firing employees under hacker pressure would set a dangerous precedent. Most cybersecurity experts believe the company will—and must—resist.

Why This Matters Beyond Google

Even if the hackers are bluffing, the incident underscores two broader realities:

1. Cyber extortion is shifting from data to influence. Hackers aren’t just demanding ransom payments anymore; they’re seeking to alter corporate behavior.
2. Supply chain risks remain Google’s Achilles’ heel. While Google itself may be hardened against attacks, third-party providers like Salesforce can become the weak links that open the door.

For users, the bigger risk isn’t a direct Gmail breach—it’s the highly convincing phishing emails that follow. Consider adding a visual explainer here showing:

• A genuine Google email vs. a phishing attempt.
• Common signs of voice-based scams.

What Users Should Do Now

Google has issued a global security alert urging all 2.5 billion Gmail users to take precautions. The company stresses that no consumer accounts were directly compromised, but phishing attempts are already circulating.

Practical steps include:

• Change your Gmail password and enable two-factor authentication (2FA).
• Be cautious of unsolicited calls claiming to be from Google support.
• Check email headers and sender addresses for inconsistencies.
• Report suspicious activity via Google’s Security Center.

For organizations, especially those using Google Workspace, it’s time to retrain staff on phishing recognition—since many attacks now use voice calls rather than just emails.

What Happens Next?

The Scattered LapSus Hunters’ threat may fizzle if they fail to produce evidence of access to Google’s systems. But their demand to fire employees, paired with the Salesforce-linked breach, guarantees Google will remain under scrutiny.This standoff highlights a troubling evolution: hacker groups leveraging media exposure to weaponize fear, rather than just stolen data. Whether the group is bluffing or not, the real cost is trust in platforms, in providers, and in the people tasked with defending them.