UNC6040 and UNC6395 Salesforce data theft and extortion campaign
Campaign
Summary
Hide ▲
Show ▼
Workiva disclosed that attackers who accessed a third-party CRM system stole a limited set of business contact information from some customers, including names, email addresses, phone numbers, and support ticket content. Workiva said the Workiva platform and data within it were not accessed or compromised. The event is part of the broader Salesforce data breach wave linked to ShinyHunters, aligning it with the UNC6040/UNC6395 campaign.
Related Happenings
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
First: 06.05.2026 16:02
Last: 06.05.2026 16:02
Sources 1
About this happening:
The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
CampaignAbout this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
Finnish arrest and U.S. charges in Bouquet Scattered Spider case
Law Enforcement
First: 28.04.2026 18:39
Last: 28.04.2026 18:39
Sources 1
About this happening:
**Finnish law enforcement** arrested **Bouquet**, and **U.S. federal prosecutors** later charged him in a cross-border **Scattered Spider** cybercrime case. The charges include **...
Finnish arrest and U.S. charges in Bouquet Scattered Spider case
Law EnforcementAbout this happening: **Finnish law enforcement** arrested **Bouquet**, and **U.S. federal prosecutors** later charged him in a cross-border **Scattered Spider** cybercrime case. The charges include **...
BlackFile vishing extortion campaign targeting retail and hospitality organizations
Campaign
First: 24.04.2026 21:26
Last: 24.04.2026 21:26
Sources 1
About this happening:
The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...
BlackFile vishing extortion campaign targeting retail and hospitality organizations
CampaignAbout this happening: The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...
Scattered Spider SMS phishing and SIM-swap crypto theft campaign
Campaign
First: 20.04.2026 16:33
Last: 20.04.2026 16:33
Sources 1
About this happening:
The **Scattered Spider** campaign used **SMS phishing** and **SIM swap** attacks to steal employee credentials, hijack phone numbers, and take over email and **virtual currency wa...
Scattered Spider SMS phishing and SIM-swap crypto theft campaign
CampaignAbout this happening: The **Scattered Spider** campaign used **SMS phishing** and **SIM swap** attacks to steal employee credentials, hijack phone numbers, and take over email and **virtual currency wa...
Triad Nexus investment scam and brand impersonation campaign targeting emerging markets
Campaign
First: 14.04.2026 15:00
Last: 14.04.2026 15:00
Sources 1
About this happening:
The **Triad Nexus** campaign is continuing to run **large-scale investment scams** and **brand impersonation**, expanding into **emerging markets** and driving higher fraud losses...
Triad Nexus investment scam and brand impersonation campaign targeting emerging markets
CampaignAbout this happening: The **Triad Nexus** campaign is continuing to run **large-scale investment scams** and **brand impersonation**, expanding into **emerging markets** and driving higher fraud losses...
Timeline
-
08.10.2025 03:17 2 articles · 7mo ago
Salesforce refuses ransom demand after leak site launch
Legal Policy Action UpdateSalesforce says it will not negotiate with or pay any extortion demand from Scattered Lapsus$ Hunters after the group launched a breachforums[.]hn data leak site to extort 39 companies whose data was stolen from Salesforce; the site now appears shut down and the domain uses surina.ns.cloudflare.com and hans.ns.cloudflare.com nameservers.
Show sources
- Salesforce refuses to pay ransom over widespread data theft attacks — www.bleepingcomputer.com — 08.10.2025 03:17
- Feds Shutter ShinyHunters Salesforce Extortion Site — www.darkreading.com — 10.10.2025 19:38
-
03.10.2025 17:16 3 articles · 7mo ago
Scattered Lapsus$ Hunters launches new Salesforce leak site
Campaign Scope UpdateScattered Lapsus$ Hunters launched a new data leak site on 2025-10-03 to extort 39 companies affected by Salesforce breaches, posting samples allegedly stolen from victims' Salesforce instances and warning them to respond before the October 10 deadline; the group also said a separate site would target companies affected by Salesloft Drift attacks.
Show sources
- ShinyHunters launches Salesforce data leak site to extort 39 victims — www.bleepingcomputer.com — 03.10.2025 17:16
- Scattered Lapsus$ Hunters Returns With Salesforce Leak Site — www.darkreading.com — 03.10.2025 22:27
- Ransomware Group “Trinity of Chaos” Launches Data Leak Site — www.infosecurity-magazine.com — 06.10.2025 18:00
-
22.09.2025 21:01 2 articles · 8mo ago
Stellantis confirms customer data theft linked to ShinyHunters
Victim Impact UpdateStellantis confirmed that attackers accessed a third-party service provider platform supporting its North American customer service operations and stole some North American customers' contact information; ShinyHunters claimed responsibility and said it took over 18 million Salesforce records, including names and contact details, from Stellantis's Salesforce instance.
Show sources
- Automaker giant Stellantis confirms data breach after Salesforce hack — www.bleepingcomputer.com — 22.09.2025 21:01
- SaaS giant Workiva discloses data breach after Salesforce attack — www.bleepingcomputer.com — 03.09.2025 19:40
-
13.09.2025 12:04 1 articles · 8mo ago
scattered LAPSUS$ hunters 4.0 claims shutdown
Untyped PhaseThe group using the Telegram channel "scattered LAPSUS$ hunters 4.0" claimed it was going dark and shutting down after alleging that French law enforcement had arrested the wrong person in connection with the cybercrime group.
Show sources
- FBI Warns of UNC6040 and UNC6395 Targeting Salesforce Platforms in Data Theft Attacks — thehackernews.com — 13.09.2025 12:04
-
13.09.2025 12:04 3 articles · 8mo ago
FBI flash alert on UNC6040 and UNC6395 Salesforce intrusions
Initial DisclosureThe FBI issued a flash alert with IoCs for UNC6040 and UNC6395 after both groups were observed targeting organizations' Salesforce platforms through different initial-access methods. UNC6395 was tied to an August 2025 Salesloft Drift campaign that used compromised OAuth tokens, while Salesloft said the activity was enabled by a breach of its GitHub account from March through June 2025. UNC6040 was assessed to be active since October 2024 and used vishing, a modified version of Salesforce's Data Loader application, and custom Python scripts to breach Salesforce portals, exfiltrate data in bulk, and support later extortion.
Show sources
- FBI Warns of UNC6040 and UNC6395 Targeting Salesforce Platforms in Data Theft Attacks — thehackernews.com — 13.09.2025 12:04
- FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data — www.bleepingcomputer.com — 15.09.2025 00:56
- FBI Warns of Threat Actors Hitting Salesforce Customers — www.darkreading.com — 15.09.2025 23:02