Hackers are turning Salesforce, one of the world’s most widely used business platforms, into their latest playground. According to a new FBI alert, two cybercriminal groups – UNC6040 and UNC6395 – have been compromising Salesforce accounts to steal sensitive data and extort companies. The campaigns underline just how vulnerable cloud platforms have become, and why organizations need to rethink how they protect customer information.
The first group, UNC6040, has been at it since late 2024. Their weapon of choice? Old-fashioned but highly effective voice phishing (vishing). They call company help desks, pretend to be IT staff, and convince employees to hand over credentials or approve malicious apps. Once inside Salesforce, they use tools like Data Loader to pull out customer data in bulk. Victims often receive extortion emails later, some linked to the notorious ShinyHunters gang, demanding payment to stop stolen data from being leaked.
The second group, UNC6395, took a different approach. In August 2025, they exploited compromised OAuth tokens tied to Salesloft Drift, an AI chatbot connected to Salesforce. With those tokens, they slipped past authentication and drained data from Salesforce systems until the access was revoked.
Why It Matters
Salesforce is a cornerstone for businesses in nearly every sector – banks, hospitals, retailers, governments. A breach can expose not just customer records but also contracts, financial data, and internal communications. The FBI’s warning isn’t just about one company – it’s about the broader risk of how attackers are exploiting people and trusted integrations rather than hacking passwords or deploying malware.
In regions like the Middle East and Africa, where Salesforce adoption is climbing alongside ambitious digital transformation projects, the warning hits close to home. Financial institutions, telecoms, and government agencies in particular face a bigger bullseye on their backs.
The Bigger Picture
What these campaigns show is that the cloud isn’t inherently safe just because it’s run by tech giants. Criminals are finding creative ways to bypass traditional defenses. By tricking employees or abusing trusted third-party apps, they can get direct access to sensitive systems—often without tripping alarms. Security teams need to recognize that defending cloud services requires more than strong passwords and multi-factor authentication.
10 Ways to Protect Your Organization
Here are ten steps recommended by the FBI and security experts:
- Train call center and frontline staff to recognize and report suspicious calls. Use resources from Saintynet Training.
- Require phishing-resistant MFA for Salesforce and other critical apps.
- Apply the Principle of Least Privilege – give employees only the access they need.
- Use authentication and access controls (AAA systems) to monitor user actions.
- Enforce IP restrictions for Salesforce logins.
- Keep a close eye on API activity, especially large or unusual queries.
- Regularly audit and clean up third-party app integrations.
- Rotate API keys, OAuth tokens, and credentials on a set schedule.
- Continuously monitor network and session logs for anomalies.
- Build a SaaS-specific incident response plan so you’re ready if attackers strike.
Conclusion:
The FBI’s alert on UNC6040 and UNC6395 is a wake-up call. Attackers don’t need malware when they can trick employees or exploit integrations to walk right into Salesforce. Organizations need to stay ahead with stronger training, tighter controls, and constant vigilance. In today’s cloud-first world, the fight to protect customer trust is more urgent than ever.
Source: FBI IC3 Alert
