Skip to main content
close search
site logo

FBI warns about 2 campaigns targeting Salesforce instances

The threat groups, identified as UNC6040 and UNC6395, have used different tactics to gain access to data.

Published Sept. 15, 2025
David Jones's headshot
Reporter
The Salesforce cloud logo is pictured on the software company's headquarters in New York on Aug. 18, 2022.
A Salesforce logo on the company's New York headquarters on Aug. 18, 2022. The FBI has released information related to recent threat activity from hackers targeting Salesforce instances in order to gain access to data. JHVEPhoto via Getty Images

The FBI on Friday released an alert warning that two hacker groups have been targeting Salesforce instances for extortion and data theft. 

The groups, identified as UNC6040 and UNC6395, have been identified in recent attacks using different methods of gaining initial access, according to the FBI. The alert includes indicators of compromise and additional guidance that can help security teams determine if they have been targeted and prevent future attacks. 

UNC6040 has used voice phishing in order to gain access to the Salesforce accounts of targeted organizations. Since October 2024, the group has used social-engineering tactics to get customer-support agents to hand over employee credentials, according to the alert.

Salesforce previously warned about these social engineering attacks in March, and researchers from Google Threat Intelligence Group warned about UNC6040 in June. 

The FBI said some victims have received extortion demands from hackers calling themselves ShinyHunters. The demands have arrived between several days and several months after the breaches. 

The attacks from UNC6395 relied on compromised OAuth tokens for Salesloft Drift, an AI-based chatbot that was integrated with Salesforce. The hackers in these attacks stole data after compromising victims’ Salesforce instances.

By late August, the companies had revoked all active access and refreshed their tokens, preventing the hackers from further accessing Salesforce platforms through Salesloft Drift, according to the FBI. 

The supply chain attacks potentially affected hundreds of organizations, and multiple security companies disclosed potential breaches of their customers. 

Security researchers told Cybersecurity Dive that a threat group claiming ties to ShinyHunters, Scattered Spider and Lapsus$ — which claimed responsibility for hacking Jaguar Land Rover and other high-profile targets — has taken down its Dark Web sites in recent days. 

The company has not publicly discussed how hackers gained access to its systems, but it did previously confirm that it was investigating the threat claims. 

Researchers suspect that move is related to increased law-enforcement activity, but it remains unclear if authorities have arrested any of the hackers. Experts also said the attackers are likely to rebrand under a different name rather than completely cease their activities.

It is not clear whether the attack on JLR is related to the activity described in the FBI alert. The bureau did not respond to a request for comment.

Editors' picks

Company Announcements

View all | Post a press release
Newsblaze Rankings: 11 Cybersecurity Founders You Should Pay Attention To
From Newsblaze, Tech Staff
September 15, 2025
Community Connections Data Breach Investigation
From Migliaccio & Rathod LLP
August 28, 2025
OnTrac Data Breach Investigation
From Migliaccio & Rathod LLP
August 28, 2025
DNS4EU Public Service Welcomed Across Europe; Whalebone’s DNS4GOV Attracts Widespread Governme…
From Whalebone
August 26, 2025
Whalebone logo
Editors' picks
Latest in Strategy
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.