The FBI has issued a FLASH alert warning organizations about two cybercriminal groups, UNC6040 and UNC6395, that are actively targeting Salesforce environments to steal sensitive data and extort victims.
According to the advisory, both groups are employing different techniques to gain access, with the FBI releasing Indicators of Compromise (IOCs) to help companies enhance their defenses.
UNC6040, first identified by Google’s Mandiant in June 2025, has been using social engineering and vishing attacks to trick employees into installing malicious Salesforce Data Loader OAuth apps disguised as legitimate tools, such as “My Ticket Portal.” Once connected, the attackers exfiltrated large amounts of Salesforce customer data, which was later used in extortion attempts by the ShinyHunters group. High-profile companies including Google, Adidas, Qantas, Allianz Life, Cisco, and Louis Vuitton were among those impacted.
A second wave of attacks, tracked as UNC6395, took place between August 8 and 18, 2025, and involved stolen Salesloft Drift OAuth and refresh tokens that allowed access to Salesforce instances. This breach exposed sensitive support case records containing credentials, cloud access keys, and authentication tokens. The incident was traced back to a compromise of Salesloft’s GitHub repositories in March 2025. Companies affected in this round included Cloudflare, Zscaler, Palo Alto Networks, Proofpoint, CyberArk, and Elastic.
While the FBI did not officially name those responsible, the ShinyHunters and a faction calling themselves “Scattered Lapsus$ Hunters” claimed involvement, linking them to the notorious Lapsus$ and Scattered Spider groups. In a final post on BreachForums, the hackers announced plans to “go dark” but also claimed to have accessed the FBI’s E-Check background check system and Google’s Law Enforcement Request portal, sharing screenshots as proof. The FBI declined to comment on the claims, and Google has not responded.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
