TL;DR
The U.S. FBI has issued a flash alert warning organizations about cybercriminal groups UNC6040 and UNC6395, which are actively targeting Salesforce platforms for data theft and extortion. UNC6040 uses vishing and social engineering to trick employees into granting access to malicious apps, while UNC6395 exploits compromised OAuth tokens in the Salesloft Drift app. Major companies like Google, Cisco, Adidas, and Allianz have already been affected. The FBI recommends enforcing multi-factor authentication (MFA), restricting IP access, and monitoring API activity to mitigate risks.
---
FBI Issues Critical Warning About Salesforce Targeted by UNC6040 and UNC6395 Cybercriminal Groups
The U.S. Federal Bureau of Investigation (FBI) has released a flash alert[^1] detailing the malicious activities of two cybercriminal groups, UNC6040 and UNC6395, which are increasingly targeting Salesforce platforms for data theft and extortion. These groups employ sophisticated tactics to gain unauthorized access to organizational data, posing a significant threat to businesses worldwide.
---
UNC6040: Vishing and Social Engineering Attacks
Since early 2025, the cybercriminal group UNC6040 has been conducting vishing (voice phishing) and social engineering attacks to compromise Salesforce accounts. The group impersonates IT support personnel and tricks employees—particularly those in call centers—into sharing credentials or approving malicious connected apps.
Key Tactics Used by UNC6040
- Phone Scams: Attackers pose as IT support to manipulate employees into granting access to malicious apps.
- Malicious Apps: Modified versions of Salesforce Data Loader are used to bypass security measures.
- OAuth Token Exploitation: Attackers use OAuth tokens to bypass multi-factor authentication (MFA) and other defenses.
- Bulk Data Exfiltration: Once access is gained, threat actors perform API queries to steal large volumes of data.
- Extortion: Victims receive extortion emails, often attributed to the ShinyHunters group, demanding cryptocurrency payments to prevent data leaks.
Notable Victims
UNC6040’s attacks have impacted several high-profile organizations, including:
- Google[^2]
- Cisco
- Adidas[^3]
- Qantas
- Allianz[^4]
---
UNC6395: Exploiting OAuth Tokens in Salesloft Drift
In August 2025, the FBI highlighted another cybercriminal group, UNC6395, which exploited compromised OAuth tokens in the Salesloft Drift application. Salesloft Drift is an AI-powered chatbot that integrates with Salesforce, making it a prime target for data theft.
How UNC6395 Operates
- OAuth Token Theft: Attackers compromise OAuth tokens to gain unauthorized access to Salesforce instances.
- Data Exfiltration: Using third-party app integrations, UNC6395 exfiltrates sensitive data from victim organizations.
- Mitigation by Salesloft: On August 20, 2025, Salesloft revoked all OAuth tokens[^5], effectively cutting off the attackers’ access.
---
FBI Recommendations to Mitigate Risks
To protect against these cyber threats, the FBI advises organizations to implement the following security measures:
1. Employee Training
- Train call center staff to recognize phishing and vishing attempts.
- Conduct regular security awareness programs to educate employees about social engineering tactics.
2. Multi-Factor Authentication (MFA)
- Enforce MFA across all accounts to add an extra layer of security.
3. Principle of Least Privilege
- Apply the Principle of Least Privilege to limit user actions based on their roles.
- Use Authentication, Authorization, and Accounting (AAA) systems to manage access effectively.
4. IP-Based Access Restrictions
- Restrict access to Salesforce platforms based on IP addresses to prevent unauthorized logins.
5. API Monitoring
- Monitor API usage for unusual activity that may indicate data exfiltration.
- Set up alerts for anomalous API queries.
6. Network and Browser Session Tracking
- Track network logs and browser sessions for signs of malicious activity.
- Regularly audit third-party integrations to ensure they are secure.
7. Credential and Token Management
- Rotate API keys, credentials, and authentication tokens regularly to minimize the risk of compromise.
---
Conclusion: The Growing Threat to Salesforce Platforms
The FBI’s flash alert underscores the escalating threat posed by UNC6040 and UNC6395 to organizations using Salesforce platforms. These cybercriminal groups leverage social engineering, OAuth token exploitation, and malicious apps to steal sensitive data and extort victims. By implementing the FBI’s recommended security measures, organizations can strengthen their defenses and mitigate the risk of falling victim to these attacks.
As cyber threats continue to evolve, businesses must remain vigilant and proactive in safeguarding their data and systems.
---
Additional Resources
For further insights, check:
- [FBI Flash Alert (PDF)](https://www.ic3.gov/CSA/2025/250912.pdf)
- [SecurityAffairs: FBI Warns of Salesforce Attacks](https://securityaffairs.com/182159/cyber-crime/fbi-warns-of-salesforce-attacks-by-unc6040-and-unc6395-groups.html)
- [Salesforce Security Best Practices](https://www.salesforce.com/products/platform/best-practices/security/)
---
References
[^1]: Federal Bureau of Investigation (FBI) (2025). "[FLASH Alert: Indicators of Compromise Associated with UNC6040 and UNC6395](https://www.ic3.gov/CSA/2025/250912.pdf)". IC3. Retrieved 2025-09-13.
[^2]: Paganini, Pierluigi (2025). "[Google Confirms Salesforce CRM Breach, Faces Extortion Threat](https://securityaffairs.com/181017/data-breach/google-confirms-salesforce-crm-breach-faces-extortion-threat.html)". SecurityAffairs. Retrieved 2025-09-13.
[^3]: Paganini, Pierluigi (2025). "[Adidas Security Breach](https://securityaffairs.com/74001/data-breach/adidas-security-breach.html)". SecurityAffairs. Retrieved 2025-09-13.
[^4]: Paganini, Pierluigi (2025). "[Allianz Life Security Breach Impacted 1.1 Million Customers](https://securityaffairs.com/181294/data-breach/allianz-life-security-breach-impacted-1-1-million-customers.html)". SecurityAffairs. Retrieved 2025-09-13.
[^5]: Paganini, Pierluigi (2025). "[Hackers Breached Salesloft’s GitHub in March and Used Stolen Tokens in a Mass Attack](https://securityaffairs.com/182002/hacking/hackers-breached-salesloft-s-github-in-march-and-used-stole-tokens-in-a-mass-attack.html)". SecurityAffairs. Retrieved 2025-09-13.