FBI Warns of UNC6040 (ShinyHunters) and UNC6395 (Scattered Spider/Lapsus$ Tactics)

The FBI has issued a new alert about two cybercriminal groups, UNC6040 (ShinyHunters) and UNC6395 (linked to Scattered Spider/Lapsus$ tactics). Both groups are targeting organizations using Salesforce. They focus on stealing sensitive data and then extorting victims. Businesses need to know how these attacks work and how to defend against them.

How These Attacks Work

UNC6040, also known as ShinyHunters, uses voice phishing (vishing). Attackers call employees and pose as IT staff. Their goal is to trick staff into sharing login codes or approving malicious Salesforce apps. Once inside, they use tools such as Salesforce Data Loader, or modified versions, to steal large amounts of data.

UNC6395 takes a different approach. It relies on compromised OAuth tokens from third-party integrations. In one example, attackers exploited tokens from Salesloft Drift, a customer engagement tool linked to Salesforce. This gave them direct access to Salesforce data without needing passwords.

Both groups have stolen sensitive records like customer information, authentication tokens, and case notes. In many cases, they wait days or even months before demanding a ransom.

Why This Is a Serious Threat

These attacks are dangerous because they bypass common defenses. Multi-factor authentication alone does not stop them. OAuth tokens and trusted apps often appear legitimate, so traditional monitoring tools may not detect abuse.

Victims include some of the largest technology and security companies in the world. If attackers can breach those organizations, businesses of all sizes are at risk. The FBI alert makes clear that all Salesforce users must take this threat seriously.

How OSRS Can Help

At OGUN Security Research and Strategic Consulting, we protect organizations from advanced cyber threats like UNC6040 and UNC6395. Our services cover prevention, detection, and response.

• Regulatory Compliance & Legal Advisory: We help you align Salesforce and SaaS environments with security standards.

• Training & Certification Programs: We prepare your staff to spot vishing and social engineering attempts.

• Strategic Intelligence & Security Research: We track groups like ShinyHunters and Scattered Spider to give you early warning.

• Digital & Cyber Investigations: We investigate data theft and support incident response.

• Corporate & Financial Investigations: We help protect your financial stability in the face of extortion.

Partnering with OSRS gives you access to expert guidance and proven strategies. We make sure your organization can withstand modern cybercrime.

Time to Act

The FBI’s alert on UNC6040 (ShinyHunters) and UNC6395 (Scattered Spider/Lapsus$ tactics) is a warning to all organizations. Cybercriminals are targeting Salesforce, and they are using trusted tools to do it. Protecting your systems cannot wait.

Contact OSRS today. We are ready to help you strengthen your defenses and secure your data.

About the Author

Dr. Sunday Oludare Ogunlana is a cybersecurity professor and founder of OGUN Security Research and Strategic Consulting LLC. He leads in AI governance, cyber defense, and digital investigations, helping organizations protect against complex threats.