Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

UNC6040 / ShinyHunters Salesforce vishing campaign

Campaign
First reported
Last updated
Happening score
H score 37
2 unique sources, 2 articles

Summary

Hide ▲

UNC6040 / ShinyHunters is running a vishing-based Salesforce campaign that has now been tied to Workiva. Workiva said attackers used a third-party CRM system to steal a limited set of business contact information from some customers, while the Workiva platform itself was not accessed or compromised. The campaign has also hit other large organizations, and the stolen data can support spear-phishing and follow-on extortion.

Related Happenings

Charter Communications hit by network compromise linked to ShinyHunters

Incident
H score70 First: 26.05.2026 22:46 Last: 26.05.2026 22:46 Sources 1

About this happening: **Charter Communications** confirmed a **data breach** tied to **ShinyHunters** extortion, with the company saying it is **alerting authorities** and that **no sensitive personal...

Latest development: 29.05.2026 11:29

Have I Been Pwned analyzed leaked Charter Communications data and confirmed that the incident affected 4.9 million accounts, with exposed records including names, email addresses, job titles, phone numbers, and physical addresses. The published data also included a subset of about 85,000 records from an internal employee directory.

Open Happening

UNC6692 email bombing and Microsoft Teams impersonation campaign

Campaign
H score32 First: 25.04.2026 18:07 Last: 25.04.2026 18:07 Sources 1

About this happening: UNC6692 is running a **social-engineering campaign** that uses **email bombing** and **Microsoft Teams impersonation** to push targets toward remote access and initial compromise....

Open Happening

BlackFile vishing extortion campaign targeting retail and hospitality organizations

Campaign
H score37 First: 24.04.2026 21:26 Last: 24.04.2026 21:26 Sources 1

About this happening: The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...

Open Happening

UNC6783 BPO compromise campaign targeting downstream companies

Campaign
H score65 First: 09.04.2026 00:46 Last: 09.04.2026 00:46 Sources 1

About this happening: **UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...

Open Happening

DPRK-linked cryptoasset theft campaign continuing into 2026

Campaign
H score35 First: 03.04.2026 11:35 Last: 03.04.2026 11:35 Sources 1

About this happening: The **DPRK-linked cryptoasset theft campaign** is continuing into **2026**, keeping **crypto and Web3** targets at risk of repeated theft and laundering activity. The operation us...

Open Happening

Timeline

  1. 02.10.2025 00:17 3 articles · 8mo ago

    UNC6040 Salesforce vishing campaign and hardening guidance

    Technical Analysis Update

    Google and Mandiant describe UNC6040 as a vishing-driven campaign that has repeatedly compromised Salesforce instances, including Google's, by tricking employees into using a modified, unauthorized Salesforce Data Loader app or otherwise granting access, enabling credential theft, Salesforce data exfiltration, and possible lateral movement into Okta and Microsoft 365; Mandiant also recommends live video identity proofing, out-of-band verification for high-risk requests such as MFA resets, strict handling of third-party access requests, and a clear process for reporting suspicious communications.

    Show sources
    Open in new tab