FBI Issues Alert on Salesforce Breaches by UNC6040, UNC6395 Cybercriminal Groups
Published
- Salesforce exploit: The FBI highlighted active Salesforce exploitation campaigns by two cybercriminal groups.
- Google confirmed: Throughout the year, Google confirmed UNC6040 and UNC6395 activity related to the Salesforce breach.
- Threat actor tactics: UNC6040 focused on vishing to impersonate IT desks, while UNC6395 exploited compromised Salesloft Drift OAuth tokens.Â
UNC6040 and UNC6395 are actively targeting corporate Salesforce platforms for data theft and extortion. A Federal Bureau of Investigation (FBI) FLASH alert warns organizations about distinct initial access mechanisms used by these threat actors to compromise sensitive customer environments.
UNC6040 Salesforce Breach and Extortion Tactics
Since at least October 2024, UNC6040 (ShinyHunters) has leveraged voice phishing (vishing) attacks to gain initial access. The threat actors impersonated IT support personnel in calls to an organization's help desk, tricking employees into granting access or sharing credentials.
A key tactic involves deceiving users into authorizing a malicious "connected app," often a modified version of Salesforce's Data Loader, the FBI says. This grants the attackers persistent OAuth token-based access, bypassing MFA and password resets, allowing for bulk data exfiltration via API queries.Â
Some victims of the ShinyHunters Salesforce breach have later received extortion emails from the threat group, which was recently suspected of orchestrating the Vietnam National Credit Information Center breach.
UNC6395 Exploits Third-Party Integration
The campaign attributed to UNC6395 utilizes a different vector for its Salesforce cyberattack. In August 2025, this group exploited compromised OAuth tokens associated with the Salesloft Drift application, an AI chatbot that integrates with Salesforce.Â
By leveraging the trusted third-party app integration, UNC6395 was able to access and exfiltrate data from victim Salesforce instances. In response, Salesloft and Salesforce revoked all active access and refresh tokens for the Drift application to terminate the threat.
The FBI recommends implementing phishing-resistant MFA, enforcing IP-based access restrictions, monitoring API usage, and thoroughly reviewing all third-party application integrations to mitigate these threats.
Incident Impact
With the incident now contained, the Salesforce integration has been restored to its normal status. The Mandiant investigation determined that threat actor activity began between March and June 2025.
Throughout this period, high-profile companies impacted by Salesforce data breaches included Palo Alto Networks, Cloudflare, Proofpoint, Google, Chanel, Tenable, Cisco, Air France-KLM Group, Qantas Airlines, Louis Vuitton, Dior, and Tiffany & Co.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular