TL;DR
- The FBI has issued a FLASH alert warning about two threat clusters, UNC6040 and UNC6395, actively targeting Salesforce environments to steal sensitive data and extort victims.
- Organizations using Salesforce are urged to assess their security posture, monitor for suspicious activity, and implement mitigation strategies to prevent compromise.
- This alert highlights the growing risk of cloud-based attacks and the importance of proactive cybersecurity measures.
---
FBI Warns of UNC6040 and UNC6395 Hackers Stealing Salesforce Data
The Federal Bureau of Investigation (FBI) has issued a FLASH alert[^1] warning organizations about two cyber threat clusters, identified as UNC6040 and UNC6395, actively compromising Salesforce environments. These threat actors are stealing sensitive data and using it to extort victims, posing a significant risk to businesses relying on Salesforce for customer relationship management (CRM) and data storage.
Who Are UNC6040 and UNC6395?
UNC6040 and UNC6395 are threat clusters tracked by cybersecurity researchers. While their exact origins remain unclear, their tactics suggest a high level of sophistication in targeting cloud-based platforms like Salesforce. Their primary objectives include:
- Data exfiltration: Stealing sensitive customer and corporate data.
- Extortion: Leveraging stolen data to demand ransom payments.
- Persistent access: Maintaining long-term access to compromised environments for future attacks.
How Are They Compromising Salesforce Environments?
The FBI alert outlines several tactics, techniques, and procedures (TTPs) employed by these threat actors:
1. Phishing Attacks: Using deceptive emails to trick employees into revealing login credentials.
2. Credential Stuffing: Exploiting weak or reused passwords to gain unauthorized access.
3. API Abuse: Leveraging Salesforce APIs to extract data without detection.
4. Malware Deployment: Installing malicious scripts to maintain persistence within the environment.
These methods allow the hackers to bypass security controls and move laterally within the Salesforce ecosystem, accessing confidential records, financial data, and intellectual property.
Why Is This Alert Significant?
The FBI's warning underscores the growing threat of cloud-based cyberattacks. Salesforce, as one of the world's leading CRM platforms, is a prime target for cybercriminals due to the vast amounts of sensitive data it stores. Key implications include:
- Increased risk of data breaches: Organizations may face regulatory penalties and reputational damage if customer data is exposed.
- Financial losses: Extortion demands and recovery costs can be substantial.
- Operational disruptions: Compromised Salesforce environments may lead to downtime and loss of productivity.
How Can Organizations Protect Themselves?
To mitigate the risk of falling victim to UNC6040 and UNC6395, organizations should implement the following cybersecurity best practices:
- Enable Multi-Factor Authentication (MFA): Add an extra layer of security to prevent unauthorized access.
- Monitor for Suspicious Activity: Use Salesforce's built-in security tools to detect anomalies, such as unusual login attempts or data exports.
- Regularly Audit Permissions: Ensure that only authorized personnel have access to sensitive data.
- Educate Employees: Conduct phishing awareness training to reduce the risk of credential theft.
- Update Security Policies: Implement strong password policies and regularly review access logs.
The Broader Impact on Cybersecurity
This alert serves as a reminder of the evolving cyber threat landscape. As businesses increasingly rely on cloud-based solutions, threat actors are adapting their strategies to exploit vulnerabilities in these platforms. Organizations must prioritize cybersecurity and stay vigilant against emerging threats.
---
Conclusion
The FBI's warning about UNC6040 and UNC6395 highlights the urgent need for organizations to secure their Salesforce environments. By adopting proactive security measures, businesses can reduce the risk of data breaches, financial losses, and reputational harm. As cyber threats continue to evolve, staying informed and implementing robust defenses is critical to safeguarding sensitive information.
---
Additional Resources
For further insights, check:
- [FBI FLASH Alert on UNC6040 and UNC6395](https://www.bleepingcomputer.com/news/security/fbi-warns-of-unc6040-unc6395-hackers-stealing-salesforce-data/)
- [Salesforce Security Best Practices](https://www.salesforce.com/products/platform/best-practices/security/)
- [Cybersecurity & Infrastructure Security Agency (CISA) Cloud Security Guidelines](https://www.cisa.gov/)
---
[^1]: [FBI FLASH Alert: UNC6040 and UNC6395 Targeting Salesforce Environments](https://www.bleepingcomputer.com/news/security/fbi-warns-of-unc6040-unc6395-hackers-stealing-salesforce-data/). BleepingComputer. Retrieved 2025-09-14.