The U.S. FBI issued a flash alert to warn of malicious activities carried out by two cybercriminal groups tracked as UNC6040 and UNC6395.
The FBI issued a FLASH alert with IOCs for cybercriminal groups UNC6040 and UNC6395, which are increasingly targeting Salesforce platforms for data theft and extortion.
“The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate Indicators of Compromise (IOCs) associated with recent malicious cyber activities by cyber criminal groups UNC6040 and UNC6395, responsible for a rising number of data theft and extortion intrusions.” reads the FLASH alert. “Both groups have recently been observed targeting organizations’ Salesforce platforms via different initial access mechanisms.”
Since early 2025, hackers known as UNC6040/UNC6240 have been targeting Salesforce users with phone scams, tricking employees into connecting malicious apps to their company accounts. This access lets them steal customer databases, later used for extortion. The attacks are linked to ShinyHunters and Scattered Spider and have already hit major firms like Google, Cisco, Adidas, Qantas, and Allianz.
Since October 2024, UNC6040 has targeted Salesforce accounts using vishing and social engineering. Actors pose as IT support, tricking call center employees into sharing credentials or approving malicious connected apps, often a modified Salesforce Data Loader. They use OAuth tokens to bypass MFA and other defenses, allowing bulk data exfiltration via API queries. Threat actors also register malicious apps through Salesforce trial accounts to avoid detection. Some victims later receive extortion emails, allegedly from ShinyHunters, demanding cryptocurrency to prevent data leaks.
The FBI also warns of the cybercrime group UNC6395 that has targeted Salesforce using compromised OAuth tokens for the Salesloft Drift app, allowing data exfiltration. Salesloft revoked all tokens on August 20, 2025, cutting attacker access.
“The FBI is also warning the public about another widespread data theft campaign targeting Salesforce platforms, designated UNC6395, utilizing a different initial access mechanism than UNC6040. In August of 2025, UNC6395 threat actors exploited compromised OAuth tokens for the Salesloft Drift application, an AI chatbot that can be integrated with Salesforce.” continues the alert. “Using the compromised OAuth tokens and third-party app integration, UNC6395 threat actors were able to compromise victims’ Salesforce instances and exfiltrate data.”
The FBI advises organizations to strengthen defenses against cybercriminals targeting Salesforce and other systems. Recommended measures include training call center staff to recognize phishing attempts, enforcing MFA, and applying the Principle of Least Privilege with AAA systems to limit user actions. Organizations should restrict IP-based access, monitor API usage for unusual activity, and track network logs and browser sessions for signs of data exfiltration. Additionally, review all third-party integrations and rotate API keys, credentials, and authentication tokens regularly.
“The FBI recommends organizations investigate and vet indicators prior to taking action, such as blocking.” conlcudes the report that includes Indicators of Compromise (IoCs).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, FBI)
