FBI Warns of Salesforce Cyberattacks by UNC6040 and UNC6395
The FBI has issued a flash alert warning of malicious activities by cybercriminal groups UNC6040 and UNC6395 targeting Salesforce platforms. These groups have been observed exploiting vulnerabilities and using social engineering techniques to gain unauthorized access for data theft and extortion.
Both groups have been responsible for a rising number of data theft and extortion intrusions targeting Salesforce users. UNC6040, linked to ShinyHunters and Scattered Spider, has affected major firms like Google, Cisco, Adidas, Qantas, and Allianz. They have been targeting Salesforce users with phone scams since early 2025, tricking employees into connecting malicious apps to company accounts for data theft and extortion.
UNC6040 targets Salesforce accounts using vishing and social engineering, bypassing MFA and other defenses for bulk data exfiltration via API queries. UNC6395 targets Salesforce using compromised OAuth tokens for the Salesloft Drift app, allowing data exfiltration. Salesloft revoked all tokens on August 20, 2025, cutting UNC6395's access to victims' Salesforce instances.
The FBI recommends organizations strengthen defenses against these cybercriminals by training staff, enforcing MFA, and monitoring API usage for unusual activity. They should also restrict IP-based access, track network logs and browser sessions, review third-party integrations, and rotate API keys, credentials, and authentication tokens regularly. The Indicators of Compromise (IoCs) for both UNC6040 and UNC6395 are included in the FBI's flash alert.
Read also:
- Trump and Xi speak over the phone, according to China's confirmation.
- NVIDIA introduces Blackwell to the cloud and unveils the significant enhancement of GeForce Now at Gamescom 2025, marking a major step in cloud gaming technology.
- Strategies for Adhering to KYC/AML Regulations in India, a Leading Fintech Center (2024)
- Strategies for Poland, Ukraine, and NATO to combat unmanned Russian aerial threats.
