• Technology

    Salesforce platforms are being cracked open for data theft – FBI warns of UNC6040 and UNC6395 IOCs

    AnyFans Posted on

    By Sead Fadilpašić

    Copyright techradar

    Salesforce platforms are being cracked open for data theft - FBI warns of UNC6040 and UNC6395 IOCs

    Skip to main content

    Tech Radar Pro

    Tech Radar Gaming

    Close main menu

    the business technology experts

    België (Nederlands)

    Deutschland

    North America

    US (English)

    Australasia

    New Zealand

    View Profile

    Search TechRadar

    Expert Insights

    Website builders

    Web hosting

    Best web hosting
    Best office chairs
    Best website builder
    Best antivirus
    Expert Insights

    Don’t miss these

    Salesloft breached to steal OAuth tokens for Salesforce data-theft attacks

    Google warns Salesloft Drift attack may have compromised Workspace accounts and Salesforce instances

    FBI, CISA warn of more Scattered Spider attacks to come

    Zscaler says it suffered data breach following Salesloft Drift compromise

    Palo Alto Networks becomes the latest to confirm it was hit by Salesloft Drift attack

    Google says hackers stole some of its data following Salesforce breach

    FBI.gov email accounts are being sold online, could be used to spread malware on an industrial scale – here’s what you need to know

    FBI warns Scattered Spider hackers are now going after airlines

    Enterprise security faces new challenge as attackers master art of digital impersonation

    Reports claim billions of Gmail accounts could be vulnerable after data breach – but Google says that’s not true

    How much do you trust your cloud? Hackers exploit weakness to target customers – here’s what we know

    Hackers breach HR firm Workday – is it the latest Salesforce CRM attack victim?

    TransUnion data breach may have affected 4.4 million users – here’s what we know, and how to stay safe

    Hackers are using fake Zoom or Microsoft Teams invites to spy on all your workplace activity

    FBI urges users to beware worrying Interlock ransomware attacks

    Salesforce platforms are being cracked open for data theft – FBI warns of UNC6040 and UNC6395 IOCs

    Sead Fadilpašić

    15 September 2025

    Two groups are going after data held in Salesforce accounts

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

    (Image credit: Getty Images)

    Two threat groups, UNC6040 and UNC6395, are actively targeting Salesforce accounts to steal sensitive data
    UNC6395 exploits integrations like the Salesloft Drift chatbot, while UNC6040 uses phone-based social engineering to impersonate IT staff and gain access
    The FBI warns that follow-up extortion attacks are often carried out by ShinyHunters, linked to Scattered Spider

    Two separate threat actors are currently targeting organizations’ Salesforce accounts to steal sensitive data found within. This is according to the US Federal Bureau of Investigation (FBI), which recently issued a FLASH advisory to warn businesses about the ongoing threat.

    “The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate Indicators of Compromise (IOCs) associated with recent malicious cyber activities by cyber criminal groups UNC6040 and UNC6395, responsible for a rising number of data theft and extortion intrusions,” the agency said in its advisory.
    “Both groups have recently been observed targeting organizations’ Salesforce platforms via different initial access mechanisms. The FBI is releasing this information to maximize awareness and provide IOCs that may be used by recipients for research and network defense.”

    You may like

    Salesloft breached to steal OAuth tokens for Salesforce data-theft attacks

    Google warns Salesloft Drift attack may have compromised Workspace accounts and Salesforce instances

    FBI, CISA warn of more Scattered Spider attacks to come

    Scattered Spider and ShinyHunters
    In recent times there were numerous reports of cybercriminals who compromised company Salesforce accounts through the Salesloft Drift application, an AI chatbot that can be integrated with Salesforce.

    The FBI labeled this group as UNC6395 and apparently, it struck some of the biggest tech and security organizations, including Cloudflare, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks, Palo Alto Networks, and others.
    The other group, UNC6040, gained access by tricking their victims into sharing the access. They would call them on the phone, posing as IT support employees addressing enterprise-wide connectivity issues.
    “Under the guise of closing an auto-generated ticket, UNC6040 actors trick customer support employees into taking actions that grant the attackers access or lead to the sharing of employee credentials, allowing them access to targeted companies’ Salesforce instances to exfiltrate customer data,” the FBI explained.

    Are you a pro? Subscribe to our newsletter
    Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
    Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
    A threat actor known to have perfected this technique is Scattered Spider. While the FBI did not name that group in its advisory, it did say that the follow-up extortion attacks were usually mounted by ShinyHunters, a group known to have been working together with Scattered Spider. At one point, the groups even merged into an entity they dubbed ScatteredLapsus$Hunters.
    Via BleepingComputer
    You might also like

    Scattered Spider hackers are targeting US critical infrastructure via VMware attacks
    Take a look at our guide to the best authenticator app
    We’ve rounded up the best password managers

    Sead Fadilpašić

    Social Links Navigation

    Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

    You must confirm your public display name before commenting

    Please logout and then login again, you will then be prompted to enter your display name.

    Salesloft breached to steal OAuth tokens for Salesforce data-theft attacks

    Google warns Salesloft Drift attack may have compromised Workspace accounts and Salesforce instances

    FBI, CISA warn of more Scattered Spider attacks to come

    Zscaler says it suffered data breach following Salesloft Drift compromise

    Palo Alto Networks becomes the latest to confirm it was hit by Salesloft Drift attack

    Google says hackers stole some of its data following Salesforce breach

    Latest in Security

    It doesn’t take a genius to be a cybercriminal – and open source ransomware is making it easier than ever

    VSCode market struck by huge influx of malicious WhiteCobra extensions – so be warned

    Double check your Microsoft 365 and Google accounts – this VoidProxy phishing service is hitting them hard

    US solar highway infrastructure may contain hidden malicious tech, officials warn

    US Senator says Microsoft should be probed for ‘gross cybersecurity negligence’ after hospital ransomware attacks

    Apple issues customer warning after four spyware campaigns discovered targeting devices

    Latest in News

    Battlefield 6 will be better for everyone thanks to the Xbox Series S

    I can’t stop rewatching Christopher Nolan’s best movie, and the good news? It’s free to stream

    The Apple Watch’s new hypertension upgrade lands in watchOS 26 today – here’s why it’s a big deal and which models are compatible

    Your Apple TV 4K gets a free upgrade to tvOS 26 today – here are 5 changes to try

    If you’re hankering to play Final Fantasy 7 Remake Intergrade on Switch 2, then be warned: it’s massive and will be a Game Key card

    Apple may have found a fix for mercenary spyware attacks – and iPhone 17 and iPhone Air users get the most of new protections

    LATEST ARTICLES

    It doesn’t take a genius to be a cybercriminal – and open source ransomware is making it easier than ever

    Best Buy’s OLED TV sale is like a Black Friday preview – shop clearance prices from $699.99

    Fans agree Liam Hemsworth ‘looks pretty good as Geralt’ in Netflix’s The Witcher season 4 teaser

    3 simple tricks I used in the gym to hit my first set of 10 strict pull-ups

    Apple may have found a fix for mercenary spyware attacks – and iPhone 17 and iPhone Air users get the most of new protections

    TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.

    Contact Future’s experts

    Terms and conditions

    Privacy policy

    Cookies policy

    Advertise with us

    Web notifications

    Accessibility Statement

    Future US, Inc. Full 7th Floor, 130 West 42nd Street,

    Please login or signup to comment

    Please wait…

    You Might Also Like