FBI Warns of Major Salesforce Data Breaches by UNC6040 and UNC6395

The FBI has issued an urgent FLASH alert warning that two cybercrime groups, UNC6040 and UNC6395, are breaching companies’ Salesforce environments to steal sensitive data and demand ransoms. The coordinated campaigns have hit dozens of high-profile firms in recent months, exposing massive stores of customer and support information.

The FBI said the groups are using OAuth tokens and social engineering to quietly siphon data from Salesforce, then extorting victims using the stolen information.

How the attackers are breaking into Salesforce

The alert explains that UNC6040 has been active since late 2024, with their attacks first disclosed by Google’s Mandiant threat intelligence unit in June. Investigators found the group tricked employees into authorizing malicious Salesforce Data Loader applications by posing as corporate IT support.

In some cases, these fake apps were named “My Ticket Portal” to appear trustworthy. Once connected to company Salesforce accounts, the apps allowed mass downloads of customer records from the “Accounts” and “Contacts” database tables. ShinyHunters, an extortion group, later weaponized this data to pressure companies into paying ransoms.

These early campaigns affected major global brands including Google, Adidas, Qantas, Allianz Life, Cisco, Kering, Louis Vuitton, Dior, and Tiffany & Co., showing how widely the tactic spread before being detected.

New wave of breaches linked to UNC6395

While UNC6040 focused on stealing customer records, a newer campaign emerged in August using a different route. Labeled UNC6395, these attacks involved stolen OAuth and refresh tokens from Salesloft’s Drift platform that gave attackers direct access to Salesforce instances.

According to investigators, this activity occurred between August 8 and 18. Once inside, the attackers harvested sensitive support case data, which often contained secrets, passwords, AWS keys, Snowflake tokens, and other credentials. These details allowed them to pivot deeper into company cloud environments, escalating the scale of the breaches.

Salesloft later collaborated with Salesforce to revoke all Drift tokens and force customers to reauthenticate. However, it was revealed the attackers had also taken Drift Email tokens, letting them read emails in a small number of Google Workspace accounts.

Breach traced back to Salesloft GitHub compromise

Mandiant’s investigation discovered the root cause: a compromise of Salesloft’s GitHub repositories dating back to March. This foothold gave the attackers the opportunity to steal Drift OAuth tokens, setting up the August wave of Salesforce intrusions.

The impact has been severe. Victims of the Drift token thefts include Cloudflare, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks, and Palo Alto Networks, among others.

Security experts warn that stolen Salesforce support data can act as a blueprint for breaching other company systems, multiplying the damage.

Overlapping hacker crews claim responsibility

The FBI did not officially name the culprits behind these campaigns, but members of the ShinyHunters group told investigators they were involved, along with others calling themselves Scattered Lapsus$ Hunters. This collective claims ties to past notorious crews such as Lapsus$, Scattered Spider, and ShinyHunters.

On Thursday, the group posted a message on a domain linked to the BreachForums marketplace saying they would “go dark” and stop discussing their operations on Telegram. Yet in the same post, they boasted of accessing the FBI’s E-Check background system and Google’s Law Enforcement Request system, even publishing screenshots as supposed proof.

If confirmed, this would give them the ability to impersonate law enforcement and pull private records on individuals. The FBI declined to comment when asked about the claim, and Google did not respond to requests for comment.

What this means for businesses using Salesforce

The FBI’s FLASH alert urged all companies to review their Salesforce security configurations and monitor for indicators of compromise linked to both UNC6040 and UNC6395. The agency provided technical details to help network defenders detect intrusions early.

Cybersecurity experts say these attacks highlight how SaaS platforms like Salesforce can become single points of failure when access tokens are stolen or misused. Unlike traditional breaches that require exploiting software bugs, these incidents succeeded largely through social engineering and stolen credentials, which are harder to detect.

Some security teams are now:

• Requiring multifactor authentication for all Salesforce logins

• Reviewing all connected OAuth apps and revoking unused ones

• Scanning support cases for leaked credentials or secrets

Companies are also being urged to reset passwords and rotate keys stored in support tickets or documentation, which could be used by attackers to infiltrate other systems.

The growing threat of data extortion campaigns

The incidents reflect a wider trend of data extortion replacing traditional ransomware. Instead of encrypting files, attackers simply steal data and threaten to leak it publicly unless paid. This method leaves systems intact but weaponizes the threat of reputational and regulatory fallout.

Experts warn that as long as stolen data has value, extortion attacks will continue to rise.

Organizations that use Salesforce as a hub for customer, financial, or support data are especially attractive targets. Many companies underestimate how much sensitive information is stored across their SaaS platforms until it is stolen.

As cybercriminal groups become more organized, collaborative, and specialized, security researchers expect further waves of supply chain style breaches, where compromising one vendor gives attackers indirect access to hundreds of customer environments.

The FBI’s warning shows how fast cybercrime tactics are evolving and how attackers are shifting toward softer human targets rather than technical exploits. Companies that depend on Salesforce should act now to strengthen access controls and tighten monitoring. What are your thoughts on this new wave of data extortion campaigns? Share this story with your friends and spark the discussion on how businesses can defend themselves.