The U.S. Federal Bureau of Investigation (FBI) has issued a flash alert containing indicators of compromise (IoCs) tied to two cybercriminal clusters — UNC6040 and UNC6395 — following a wave of data theft and extortion attacks targeting Salesforce environments.
“Both groups have recently been observed targeting organizations’ Salesforce platforms via different initial access mechanisms,” the FBI said.
UNC6395 has been linked to a large-scale campaign from August 2025 that exploited compromised OAuth tokens for the Salesloft Drift application to infiltrate Salesforce instances. The breach stemmed from the compromise of Salesloft’s GitHub account between March and June 2025. In response, Salesloft has taken the Drift AI chatbot offline, isolated its infrastructure, and initiated stronger security controls.
“We are focused on the ongoing hardening of the Drift Application environment,” the company stated. “This process includes rotating credentials, temporarily disabling certain parts of the Drift application and strengthening security configurations. At this time, we are advising all Drift customers to treat any and all Drift integrations and related data as potentially compromised.”
The second group, UNC6040, has been active since October 2024 and is described by Google as a financially motivated actor. It is known for using vishing campaigns to gain initial access and hijack Salesforce portals for data exfiltration. The group has relied on a modified version of Salesforce Data Loader and custom Python scripts to pull large datasets. The stolen data has in some cases been used for extortion, months after the initial breach.
“UNC6040 threat actors have utilized phishing panels, directing victims to visit from their mobile phones or work computers during the social engineering calls,” the FBI said. “After obtaining access, UNC6040 threat actors have then used API queries to exfiltrate large volumes of data in bulk.”
Google has attributed the extortion phase to another cluster, UNC6240, which has claimed affiliation with ShinyHunters. Although ShinyHunters recently announced, alongside Scattered Spider and LAPSUS$, that they are shutting down — saying, “Our objectives having been fulfilled, it is now time to say goodbye” — security researchers warn this may be temporary.
“Recent arrests may have prompted the group to lay low, but history tells us this is often temporary,” said Sam Rubin of Unit 42. “Silence from a threat group does not equal safety.”
 has issued a flash alert containing indicators of compromise (IoCs) tied to two cybercrim.....){kind=link}