FBI warning: crime rings are nicking your Salesforce data
The FBI has issued a flash alert about two financially motivated threat clusters, UNC6395 and UNC6040, actively raiding Salesforce environments for data theft and extortion. UNC6395 piggy-backed on the Salesloft Drift incident by abusing compromised OAuth tokens, a breach Salesloft links to an earlier GitHub account compromise (March–June 2025). Salesloft has since isolated Drift, taken it offline, and is hardening access. UNC6040, meanwhile, relies on voice-phishing (vishing) to social-engineer access, then uses a tweaked Salesforce Data Loader and custom Python scripts to bulk-exfiltrate data before attempting extortion, sometimes via a related cluster dubbed UNC6240 that has claimed ties to ShinyHunters. In the background drama, ShinyHunters, Scattered Spider, and LAPSUS$ briefly announced a “unified” effort—then proclaimed they were shutting down—moves experts warn rarely signal a true retirement. The upshot: organisations should treat Salesforce and connected apps as high-risk targets and tighten identity, OAuth, and API governance.
Two cybercrime crews—catchily named UNC6395 and UNC6040—are going after Salesforce like seagulls at a seaside chippy. Their goal? Steal customer data at scale and squeeze companies with extortion.
Who’s who
• UNC6395 rode the wave of the Salesloft Drift fiasco, using compromised OAuth tokens to slip into Salesforce tenants. Salesloft says the issues trace back to a GitHub breach earlier this year; Drift has been taken offline while they add extra security.
• UNC6040 skips the fancy zero-days and phones your staff instead. With vishing, plus a tweaked Salesforce Data Loader and some Python, they hoover up data via APIs—then circle back with pay-up emails.
Why you should care
Because these attacks use legitimate access paths—tokens, APIs, and helpful humans—they can look like normal business until the export job finishes. Classic AV won’t save you here.
What to do (today, please)
• Clamp down on OAuth: review connected apps, prune access, rotate secrets, and monitor token use.
• Harden identity: enforce phishing-resistant MFA and step-up checks for Salesforce admins and integrator accounts.
• Watch the APIs: alert on unusual Data Loader activity, mass exports, and suspicious SOQL queries.
• Prepare for vishing: train staff to verify callers and use out-of-band checks before approving access.
Criminal crews may “retire” one week and rebrand the next. Treat Salesforce and its integrations as part of your crown jewels and monitor accordingly.