FBI Warns of UNC6040 and UNC6395 Targeting Salesforce Platforms in Data Theft Attacks

FBI Warns of UNC6040 and UNC6395 Targeting Salesforce Platforms in Data Theft Attacks

Briefly

"The U.S. Federal Bureau of Investigation (FBI) has issued a flash alert to release indicators of compromise (IoCs) associated with two cybercriminal groups tracked as UNC6040 and UNC6395 for a string of data theft and extortion attacks. "Both groups have recently been observed targeting organizations' Salesforce platforms via different initial access mechanisms," the FBI said. UNC6395 is a threat group that has been attributed a widespread data theft campaign targeting Salesforce instances in August 2025 by exploiting compromised OAuth tokens for the Salesloft Drift application."

"As a result of the breach, Salesloft has isolated the Drift infrastructure and taken the artificial intelligence (AI) chatbot application offline. The company also said it's in the process of implementing new multi-factor authentication processes and GitHub hardening measures. "We are focused on the ongoing hardening of the Drift Application environment," the company said. "This process includes rotating credentials, temporarily disabling certain parts of the Drift application and strengthening security configurations." "At this time, we are advising all Drift customers to treat any and all Drift integrations and related data as potentially compromised.""

"The second group the FBI has called attention to is UNC6040. Assessed to be active since October 2024, UNC6040 is the name assigned by Google to a financially motivated threat cluster that has engaged in vishing campaigns to obtain initial access and hijack Salesforce instances for large-scale data theft and extortion. These attacks have involved the use of a modified version of Salesforce's Data Loader application and custom Python scripts to breach victims' Salesforce portals and exfiltrate valuable data."