On September 12, 2025, the FBI released an alert warning about two cybercriminal groups, UNC6040 and UNC6395, that have been targeting organizations’ Salesforce platforms to steal data and extort victims.
What happened
UNC6040, active since October 2024, has relied on voice phishing, or vishing, to impersonate IT support staff and trick employees into handing over credentials or approving access to connected applications such as a modified Salesforce Data Loader, which the group then used to exfiltrate large amounts of data through API calls. In August 2025, UNC6395 was discovered exploiting compromised OAuth tokens linked to the Salesloft Drift AI chatbot, which integrates with Salesforce.
Using these tokens, the group gained access to Salesforce environments and stole sensitive data until August 20, 2025, when Salesforce and Salesloft revoked all active and refresh tokens associated with the Drift app to block further exploitation. Following these breaches, victims often received extortion demands, sometimes weeks or even months later, threatening to publicly release the stolen information unless a ransom was paid.
Going deeper
- UNC6040 often registers new malicious OAuth applications inside compromised Salesforce environments to maintain persistence and evade detection.
- The group has used multi-factor authentication (MFA) fatigue attacks to trick users into approving malicious login attempts.
- UNC6395’s campaign in August 2025 was linked to extortion emails claiming affiliation with ShinyHunters, a well-known data theft and leak group.
- Victims reported that stolen data was packaged and sold on dark web forums even when no ransom was paid.
- The FBI emphasized that attacks were not limited to one sector; victims spanned healthcare, finance, retail, and government organizations.
- The agency warned that attackers often used stolen Salesforce data to launch follow-on phishing attacks against customers and business partners.
- The alert discussed that revoking suspicious OAuth apps and tokens quickly is one of the most effective defenses.
What was said
According to the alert, “Some UNC6040 victims have subsequently received extortion emails allegedly from the ShinyHunters group, demanding payment in cryptocurrency to avoid publication of exfiltrated data. These extortion demands have varied in time following UNC6040 threat actors’ access and data exfiltration, ranging from a period of days to months.”
The bigger picture
According to the Office for Civil Rights (OCR), ransomware attacks on healthcare organizations have surged by 264% since 2018, reflecting a sharp increase in the use of ransomware and malware as tools for data theft and extortion. These attacks often begin when cybercriminals distribute malicious software through email attachments or links, which once activated, encrypt files and lead to ransom demands in exchange for decryption keys.
One settlement related to a ransomware investigation resulted in a $250,000 payment, underscoring the high costs of noncompliance. In 2024, a hospital in Georgia suffered a devastating incident when attackers gained access through a compromised email account, exfiltrated a terabyte of data, shut down the hospital’s entire system, forced weeks of paper-based operations, and ultimately leaked patient records.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
What is data extortion?
Data extortion happens when cybercriminals steal sensitive information and threaten to release, sell, or destroy it unless the victim pays a ransom.
How is data extortion different from ransomware?
Ransomware locks files by encrypting them until payment is made, while data extortion often involves stealing data and demanding money to keep it private; sometimes both happen together.
How do attackers usually gain access?
Common methods include phishing emails, compromised accounts, exploiting software vulnerabilities, and abusing third-party integrations or access tokens.
Kirsten Peremore
