Find notable cyber news and cases, enriched with sources, timelines, and signals.

FBI IC3 advisory on Salesforce-targeting threat actors

Public Sector Action
First reported
Last updated
Happening score
H score 42
1 unique sources, 1 articles

Summary

Hide ▲

The FBI's Internet Crime Complaint Center (IC3) published an advisory warning that UNC6040 and UNC6395 are targeting Salesforce customers to steal data and extort victims. The warning gives affected organizations fresh context on the threat, including vishing, stolen OAuth tokens, and follow-on extortion activity. It matters because the advisory is a concrete official warning aimed at helping organizations reduce exposure across Salesforce-connected environments.

Related Happenings

NCSC-UK joint advisory on covert botnets and proxy networks

Public Sector Action
H score66 First: 23.04.2026 15:28 Last: 23.04.2026 15:28 Sources 1

About this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...

UNC6783 BPO compromise campaign targeting downstream companies

Campaign
H score65 First: 09.04.2026 00:46 Last: 09.04.2026 00:46 Sources 1

About this happening: **UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...

CISA April 7 Rockwell Automation/Allen-Bradley PLC mitigation advisory

Advisory/Mitigation
H score32 First: 08.04.2026 11:15 Last: 08.04.2026 11:15 Sources 1

About this happening: **CISA** and authoring agencies issued **April 7** mitigation guidance for **internet-facing OT assets**, warning that **US critical infrastructure** operators using **Rockwell Au...

FBI/CISA joint advisory on PLC targeting

Public Sector Action
H score38 First: 07.04.2026 21:02 Last: 07.04.2026 21:02 Sources 1

About this happening: The **FBI, CISA, NSA, EPA, DOE, and CNMF** issued a **joint advisory** warning U.S. critical-infrastructure defenders about **Internet-exposed Rockwell/Allen-Bradley PLCs**. The a...

FBI public warning on Signal and WhatsApp phishing

Public Sector Action
H score30 First: 20.03.2026 22:45 Last: 20.03.2026 22:45 Sources 1

About this happening: The **US Department of State** is offering **up to $10 million** through the **Rewards for Justice** program for information that helps identify or locate **UNC5792** and **UNC422...

Latest development: 29.06.2026 12:29

The US government offered up to $10 million for information leading to the identification of UNC5792 and UNC4221, Russian intelligence-linked threat actors targeting Signal and WhatsApp users by posing as automated support accounts and stealing verification codes or Backup Recovery Keys; CISA and the FBI warned that sharing a Backup Recovery Key can let the actor access historical private and group messages and potentially keep access after a new account is created with the same phone number.

Timeline

  1. 15.09.2025 23:02 1 articles · 9mo ago

    Salesloft revokes Drift tokens

    Mitigation Patch Update

    Salesloft, in collaboration with Salesforce, revoked all active access and refresh tokens with the Drift application, terminating threat actor access to victims' Salesforce platforms from the previously connected Salesloft app. Salesforce later re-enabled integrations with Salesloft technologies except any Drift app, which remained disabled until further notice.

    Show sources
  2. 15.09.2025 23:02 2 articles · 9mo ago

    FBI IC3 warns of Salesforce-targeting threat actors

    Initial Disclosure

    The FBI's Internet Crime Complaint Center (IC3) warned that UNC6040, also known as ShinyHunters, and UNC6395 are targeting Salesforce customers for data theft and extortion. The advisory says UNC6040 has used vishing and social engineering to pose as IT support staff and trick employees into granting access or sharing credentials, while UNC6395 used stolen OAuth tokens from Salesloft's Drift application to compromise Salesforce-connected victims. The FBI recommended training call center employees, requiring phishing-resistant MFA, implementing authentication, authorization, and accounting (AAA) systems, enforcing IP-based access restrictions, monitoring logs and browser activity, and reviewing third-party connections.

    Show sources