ZATAZ » FBI warns of cyberattacks targeting Salesforce by Scattered Spider and ShinyHunters

The FBI has issued an alert about a cyberattack campaign conducted by Scattered Spider and ShinyHunters, also known as UNC6395 and UNC6040. These groups infiltrate Salesforce environments through social engineering, phishing, and exploitation of third-party applications. After exfiltrating sensitive data, they demand cryptocurrency ransoms of varying amounts, threatening to leak millions of customer records. Their tactics include compromising connected apps such as Salesloft Drift, allowing them to bypass traditional protections. Confirmed victims include French luxury group Kering and a Vietnamese government agency. Despite their announced “retirement” on Telegram, experts believe a reorganization is more likely. The FBI urges companies to harden defenses and train support teams.

Scattered Spider and ShinyHunters target Salesforce

According to the FBI, Scattered Spider (UNC6395) and ShinyHunters (UNC6040) have been conducting a massive intrusion campaign against Salesforce since October 2024. Their initial approach relied on social engineering. Hackers called company support centers posing as IT staff, tricking them into handing over legitimate credentials. This granted access to Salesforce environments rich in customer data and internal documents.

In parallel, phishing campaigns by email and SMS targeted employees’ devices. Once compromised, attackers used these accounts to infiltrate connected services. By summer 2025, they shifted toward exploiting Salesforce-integrated third-party apps, bypassing reinforced security measures such as multifactor authentication and connection monitoring.

Among the tools exploited was Salesloft Drift, a chatbot solution integrated with Salesforce. The FBI also reports that attackers created fake Salesforce trial accounts, registering malicious connected apps. Once approved by victims, these apps provided direct access to sensitive data, making detection extremely difficult.

Global victims and shifting ransom demands

The FBI did not specify the exact number of affected companies but mentioned hundreds of organizations. Ransom demands, payable in cryptocurrency, vary widely with no consistent timing. Some demands follow immediately after exfiltration, while others come months later.

High-profile companies are among the victims. Reuters and the BBC confirmed that Kering, parent company of Gucci, Balenciaga, and Alexander McQueen, was targeted. ShinyHunters claimed the theft of 7.4 million email addresses, stating they obtained the data in late 2024 before starting negotiations in June 2025.

In Vietnam, a government agency confirmed the theft of millions of financial records in an attack also claimed by ShinyHunters. These operations add to the group’s long list of previous intrusions across industries from insurance to aviation.

Experts stress that attackers’ use of legitimate infrastructures complicates investigations. They leverage cloud services like Azure, virtual servers, Tor nodes, and proxies to mask their origin.

Shortly before the FBI alert, the groups posted Telegram messages announcing their retirement, citing recent arrests and increased law enforcement pressure. Cybersecurity experts consider these claims unreliable. ZATAZ’s ongoing research suggests that one of the instigators behind these groups may in fact be a single individual, French-speaking, producing inconsistent statements, and repeatedly recycling the same “proof” screenshots of intrusions. ZATAZ’s monitoring service noted similar tactics in claimed attacks on AirFrance/KLM and Victoria’s Secret.

The FBI warns that Scattered Spider and ShinyHunters exploit Salesforce to extort companies and agencies by weaponizing stolen sensitive data. [ZATAZ News English version]