BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

FBI Warns of Salesforce Data Breaches by UNC6040, UNC6395 Groups

FBI Warns of Salesforce Data Breaches Linked to UNC6040 and UNC6395 as Major Cybercrime Groups Claim Shutdown

  • The FBI warned about two cybercriminal groups, UNC6040 and UNC6395, involved in major data thefts and extortion.
  • Both groups have recently targeted organizations using Salesforce platforms through different entry methods.
  • Attacks on Salesloft and its AI chatbot Drift exploited compromised OAuth tokens, traced back to a breach in the company’s GitHub account.
  • UNC6040 used vishing and phishing tactics to access Salesforce data, followed by extortion attempts.
  • Cybercrime groups including ShinyHunters, Scattered Spider, and LAPSUS$ announced they are halting operations, but experts warn threats likely persist.

The U.S. Federal Bureau of Investigation (FBI) has issued an alert identifying cybercriminal groups UNC6040 and UNC6395 for recent data theft and extortion attacks against organizations’ Salesforce platforms. These attacks occurred between March and September 2025 and affected several companies using cloud-based sales and customer platforms.

- Advertisement -

According to the FBI, UNC6395 launched a widespread data theft campaign in August 2025 by exploiting stolen authentication credentials, called OAuth tokens, for the Salesloft Drift application. Salesloft revealed the breach resulted from unauthorized access to its GitHub account between March and June 2025. As a security measure, the company took the Drift AI chatbot offline, strengthened multi-factor authentication, and enhanced its GitHub protections.

Salesloft advised customers to consider all Drift integrations potentially compromised and stated they are working to further secure the Drift environment by updating credentials, temporarily disabling parts of Drift, and tightening security settings. “We are focused on the ongoing hardening of the Drift Application environment,” the company said in an official update.

The FBI also reported that UNC6040, active since October 2024, conducted vishing (voice phishing) campaigns to gain access to victims’ Salesforce accounts. Attackers used altered versions of Salesforce’s Data Loader application and custom scripts to steal large amounts of sensitive data. In many incidents, data theft was followed by extortion threats months later. Google noted some extortion messages claimed to be from the group ShinyHunters, and that the attackers might launch a data leak site to pressure victims.

Recently, ShinyHunters, Scattered Spider, and LAPSUS$ stated on their Telegram channel that they are shutting down, along with other well-known cyber actors. They cited completed objectives and mentioned law enforcement actions as possible reasons for stopping their activity. “Our objectives having been fulfilled, it is now time to say goodbye,” the group posted.

- Advertisement -

Experts advise organizations to stay alert, as history shows such groups often reappear under new names, and existing risks from stolen data and hidden threats may remain.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Ohio County Paid $1M After Data Heist

Union County, Ohio, paid roughly $1 million in Bitcoin to the cyber group Kairos...

Bitcoin’s 2026 Outlook: Sideways Trading Before Any Big Rally

Bitcoin is currently trading between $58,000 and $62,000, a steep drop from its October...

North Korean PolinRider Hackers Publish 108 Malicious Packages

North Korean-linked threat actors, known as Contagious Interview, have expanded their PolinRider supply-chain campaign...

FatFs Flaws Let Malicious Media Hijack Millions of Devices

Seven vulnerabilities (CVE-2026-6682 to CVE-2026- 6688) were found in the widely used FatFs filesystem library,...

Saylor Rage-Quits Channel 4 Over Bitcoin Grilling

Michael Saylor ended a Channel 4 interview by accusing the reporter of being offensive...

Must Read

TOP 12 Day Trading Crypto Books For Beginners

Day trading cryptocurrencies has become an increasingly popular financial activity, offering the potential for huge returns to those who understand the market's complexities and...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading