The U.S. Federal Bureau of Investigation (FBI) has released a flash alert detailing indicators of compromise (IoCs) linked to two cybercriminal groups identified as UNC6040 and UNC6395, who are engaging in data theft and extortion activities targeting Salesforce platforms.
The FBI noted that both criminal organizations have been leveraging different methods to gain initial access to their targets. Specifically, UNC6395 orchestrated a significant data theft campaign in August 2025, exploiting compromised OAuth tokens related to the Salesloft Drift application. This breach stemmed from a compromise of Salesloft’s GitHub account, which occurred between March and June 2025.
In response to the incident, Salesloft has isolated the Drift infrastructure, taking the AI chatbot application offline. The company is implementing new multi-factor authentication protocols and reinforcing GitHub security measures. Salesloft advised all Drift users to consider their integrations and associated data potentially compromised.
Meanwhile, UNC6040 has been active since October 2024 and is also noted for its financially motivated hacking efforts, which include using vishing tactics to commandeer Salesforce accounts for extensive data theft and extortion. This group has utilized a modified version of Salesforce’s Data Loader application alongside custom Python scripts to infiltrate victim Salesforce portals, resulting in the large-scale extraction of data. Reports indicate that certain instances of intrusion have been followed by extortion attempts.
The FBI highlighted that UNC6040 deploys phishing panels to entice victims during social engineering calls, gaining access to exfiltrate substantial data volumes via API queries. The extortion phase has been associated with another unidentified group, referred to as UNC6240, which has claimed to represent the ShinyHunters in communications with the victims.
Recently, there has been a notable collaboration among criminal groups, including ShinyHunters, Scattered Spider, and LAPSUS$, aiming to consolidate their malicious activities. However, on September 12, 2025, the unified group announced its cessation of operations, citing concerns over law enforcement interventions.
According to cybersecurity experts, even if these groups appear to go dormant temporarily, the threat they pose does not dissipate completely. Organizations must remain vigilant and operate under the assumption that the risk persists, as historical patterns show that such entities can rapidly rebrand and resume their operations.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.