The Federal Bureau of Investigation has issued a new FLASH alert warning that cybercriminal groups are actively compromising Salesforce instances in order to steal sensitive data and extort organizations. The warning, coordinated with DHS and CISA, highlights the tactics of two threat groups tracked as UNC6040 and UNC6395.
According to the FBI, UNC6040 has been targeting Salesforce platforms since October 2024 using social engineering. The attackers often pose as IT support staff and call company help desks, tricking employees into sharing credentials or authorizing malicious applications. Once inside, the criminals exploit Salesforce’s connected app system, sometimes disguising their tools as the official Data Loader. This method bypasses normal defenses such as multifactor authentication and login monitoring, giving the attackers broad access to query and exfiltrate data.
The agency notes that UNC6040 victims have in some cases later received extortion threats, allegedly from the ShinyHunters group, demanding cryptocurrency payments to prevent leaked data from being published.
Meanwhile, the FBI is also tracking UNC6395, which launched attacks in August 2025 using stolen OAuth tokens linked to Salesloft’s Drift application, an AI chatbot that integrates with Salesforce. This method allowed access to Salesforce environments until August 20, when Salesloft and Salesforce revoked all Drift tokens to cut off intruders.
The FLASH includes dozens of indicators of compromise, such as suspicious IP addresses, URLs, and user-agent strings tied to the activity. Organizations are urged to investigate carefully before blocking, since some indicators may not always signal an active breach.
The FBI is recommending that companies take several steps to defend themselves. These include training call center staff to spot phishing attempts, enforcing phishing-resistant multifactor authentication, applying the principle of least privilege to accounts, monitoring API usage for anomalies, and reviewing third-party app integrations with Salesforce. Rotating keys and tokens regularly is also advised.
Any organizations that spot suspicious activity are encouraged to report it through the FBI’s Internet Crime Complaint Center at ic3.gov or to a local field office. By sharing threat details, the bureau says security teams can help track malicious actors and prevent future intrusions.
