- The FBI warned about two cybercriminal groups, UNC6040 and UNC6395, involved in major data thefts and extortion.
- Both groups have recently targeted organizations using Salesforce platforms through different entry methods.
- Attacks on Salesloft and its AI chatbot Drift exploited compromised OAuth tokens, traced back to a breach in the company’s GitHub account.
- UNC6040 used vishing and phishing tactics to access Salesforce data, followed by extortion attempts.
- Cybercrime groups including ShinyHunters, Scattered Spider, and LAPSUS$ announced they are halting operations, but experts warn threats likely persist.
The U.S. Federal Bureau of Investigation (FBI) has issued an alert identifying cybercriminal groups UNC6040 and UNC6395 for recent data theft and extortion attacks against organizations’ Salesforce platforms. These attacks occurred between March and September 2025 and affected several companies using cloud-based sales and customer platforms.
According to the FBI, UNC6395 launched a widespread data theft campaign in August 2025 by exploiting stolen authentication credentials, called OAuth tokens, for the Salesloft Drift application. Salesloft revealed the breach resulted from unauthorized access to its GitHub account between March and June 2025. As a security measure, the company took the Drift AI chatbot offline, strengthened multi-factor authentication, and enhanced its GitHub protections.
Salesloft advised customers to consider all Drift integrations potentially compromised and stated they are working to further secure the Drift environment by updating credentials, temporarily disabling parts of Drift, and tightening security settings. “We are focused on the ongoing hardening of the Drift Application environment,” the company said in an official update.
The FBI also reported that UNC6040, active since October 2024, conducted vishing (voice phishing) campaigns to gain access to victims’ Salesforce accounts. Attackers used altered versions of Salesforce’s Data Loader application and custom scripts to steal large amounts of sensitive data. In many incidents, data theft was followed by extortion threats months later. Google noted some extortion messages claimed to be from the group ShinyHunters, and that the attackers might launch a data leak site to pressure victims.
Recently, ShinyHunters, Scattered Spider, and LAPSUS$ stated on their Telegram channel that they are shutting down, along with other well-known cyber actors. They cited completed objectives and mentioned law enforcement actions as possible reasons for stopping their activity. “Our objectives having been fulfilled, it is now time to say goodbye,” the group posted.
Experts advise organizations to stay alert, as history shows such groups often reappear under new names, and existing risks from stolen data and hidden threats may remain.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Rio to Host First Permanent BRICS Headquarters in 2025
- SEC Chair Atkins Vows Clear Crypto Rules, Launches ‘Project Crypto’
- US Government Likely to Form Strategic Bitcoin Reserve by 2024 End
- Arthur Hayes Urges Patience as Bitcoin Lags Behind Stocks, Gold Highs
- Kalshi Vows Court Fight as Massachusetts Sues Over Sports Bets
