Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

FBI IC3 advisory on Salesforce-targeting threat actors

Public Sector Action
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

The FBI's Internet Crime Complaint Center (IC3) published an advisory warning that UNC6040 and UNC6395 are targeting Salesforce customers to steal data and extort victims. The warning gives affected organizations fresh context on the threat, including vishing, stolen OAuth tokens, and follow-on extortion activity. It matters because the advisory is a concrete official warning aimed at helping organizations reduce exposure across Salesforce-connected environments.

Related Happenings

NCSC-UK joint advisory on covert botnets and proxy networks

Public Sector Action
First: 23.04.2026 15:28 Last: 23.04.2026 15:28 Sources 1

About this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...

Open Happening

UNC6783 BPO compromise campaign targeting downstream companies

Campaign
First: 09.04.2026 00:46 Last: 09.04.2026 00:46 Sources 1

About this happening: **UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...

Open Happening

CISA April 7 Rockwell Automation/Allen-Bradley PLC mitigation advisory

Advisory/Mitigation
First: 08.04.2026 11:15 Last: 08.04.2026 11:15 Sources 1

About this happening: **CISA** and authoring agencies issued **April 7** mitigation guidance for **internet-facing OT assets**, warning that **US critical infrastructure** operators using **Rockwell Au...

Open Happening

FBI/CISA joint advisory on PLC targeting

Public Sector Action
First: 07.04.2026 21:02 Last: 07.04.2026 21:02 Sources 1

About this happening: The **FBI, CISA, NSA, EPA, DOE, and CNMF** issued a **joint advisory** warning U.S. critical-infrastructure defenders about **Internet-exposed Rockwell/Allen-Bradley PLCs**. The a...

Open Happening

FBI public warning on Signal and WhatsApp phishing

Public Sector Action
First: 20.03.2026 22:45 Last: 20.03.2026 22:45 Sources 1

About this happening: The **FBI** issued a **public service announcement** warning that **Signal** and **WhatsApp** users are being targeted in **phishing campaigns**. The warning says the activity has...

Open Happening

Timeline

  1. 15.09.2025 23:02 1 articles · 8mo ago

    Salesloft revokes Drift tokens

    Mitigation Patch Update

    Salesloft, in collaboration with Salesforce, revoked all active access and refresh tokens with the Drift application, terminating threat actor access to victims' Salesforce platforms from the previously connected Salesloft app. Salesforce later re-enabled integrations with Salesloft technologies except any Drift app, which remained disabled until further notice.

    Show sources
    Open in new tab
  2. 15.09.2025 23:02 2 articles · 8mo ago

    FBI IC3 warns of Salesforce-targeting threat actors

    Initial Disclosure

    The FBI's Internet Crime Complaint Center (IC3) warned that UNC6040, also known as ShinyHunters, and UNC6395 are targeting Salesforce customers for data theft and extortion. The advisory says UNC6040 has used vishing and social engineering to pose as IT support staff and trick employees into granting access or sharing credentials, while UNC6395 used stolen OAuth tokens from Salesloft's Drift application to compromise Salesforce-connected victims. The FBI recommended training call center employees, requiring phishing-resistant MFA, implementing authentication, authorization, and accounting (AAA) systems, enforcing IP-based access restrictions, monitoring logs and browser activity, and reviewing third-party connections.

    Show sources
    Open in new tab