The FBI has issued a flash alert about two cybercriminal groups (UNC6040 and UNC6395) targeting Salesforce accounts for data theft.
An FBI advisory warns that two threat groups — UNC6040 and UNC6395 — are breaching Salesforce accounts to steal sensitive data. Salesforce is a widely-used CRM platform that often stores sensitive customer and business data, making it an attractive target for attackers. Each group uses different infiltration methods to gain entry , highlighting the need for organizations to strengthen cloud security.
UNC6395: OAuth Token Exploitation
UNC6395 was linked to an August 2025 attack that exploited compromised OAuth tokens in Salesloft’s Drift AI chatbot integration. Attackers obtained these tokens via a prior Salesloft GitHub breach, then used them to access customer Salesforce instances. At least 22 organizations confirmed they were affected by the Drift breach , illustrating how one compromised integration can ripple across many companies. In response, Salesloft isolated the compromised Drift environment and enforced stronger authentication measures.
UNC6040: Voice Phishing (Vishing) Attacks
UNC6040, active since late 2024, uses phone-based social engineering to trick staff into granting Salesforce access. In these vishing campaigns, attackers pose as IT support and lead employees to fake login pages or apps. Once access is obtained, the criminals run automated scripts and API queries (often via a modified Salesforce Data Loader) to bulk-exfiltrate data. Stolen information is frequently used in follow-on extortion attempts.
Extortion and Follow-Up
After infiltrating Salesforce, stolen data is often weaponized. The FBI notes that a related ShinyHunters gang (UNC6240) has already sent ransom demands to UNC6040 victims. These attackers are reportedly preparing public data-leak sites to increase pressure on victims. Even if cybercriminal groups claim to disband, experts warn that stolen records and backdoors can persist, so organizations must remain vigilant.
