The U.S. Federal Bureau of Investigation (FBI) has issued a flash alert to release indicators of compromise (IoCs) associated with two cybercriminal groups tracked as UNC6040 and UNC6395 for orchestrating a string of data theft and extortion attacks.

UNC6395 is a threat group that has been attributed a widespread data theft campaign targeting Salesforce instances in August 2025 by exploiting compromised OAuth tokens for the Salesloft Drift application. In an update issued this week, Salesloft said the attack was made possible due to the breach of its GitHub account from March through June 2025.

The second group the FBI has called attention to is UNC6040. Assessed to be active since October 2024, UNC6040 is the name assigned by Google to a financially motivated threat cluster that has engaged in vishing campaigns to obtain initial access and hijack Salesforce instances for large-scale data theft and extortion.  

These attacks have involved the use of a modified version of Salesforce's Data Loader application and custom Python scripts to breach victims' Salesforce portals and exfiltrate valuable data. At least some of the incidents have involved extortion activities following UNC6040 intrusions, with them taking place months after the initial data theft