The Federal Bureau of Investigation (FBI) recently issued a FLASH alert warning that two threat groups – identified as UNC6040 and UNC6395 – are compromising the Salesforce environments of businesses to steal data and extort victims.
This warning comes after a wave of attacks on Salesforce orgs over the past few weeks, with large-scale companies such as Qantas, Chanel, Allianz Life, Farmers Insurance, and more all facing data attacks.
SF Ben note: The potential for compromised connected apps in Salesforce orgs is ongoing. We at Salesforce Ben strongly recommend that all admins and org owners prioritize auditing the connected apps currently in use in their orgs. This includes identifying the origin of all connected apps, removing any unused or unknown apps, setting permissions for access to remaining apps, and removing the ability for any user to add connected apps without approval. We’ve published an article to help.
What Have the FBI Said?
The FBI released its official FLASH warning on September 12, detailing technical clues organizations may need to spot if these attackers are inside their Salesforce environment.
The statement reads: “The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate Indicators of Compromise (IOCs) associated with recent malicious cyber activities by cyber criminal groups. UNC6040 and UNC6395, responsible for a rising number of data theft and extortion intrusions.
“Both groups have recently been observed targeting organizations’ Salesforce platforms via different initial access mechanisms. The FBI is releasing this information to maximize awareness and provide IOCs that may be used by recipients for research and network defense.”
The warning later highlights a list of indicators that would suggest the hacking group has successfully infiltrated an org, which includes IP addresses and URLs that are linked to both UNC6040 and UNC6395.
What We Know About the Attackers So Far
UNC6040 was first identified by Google’s Threat Intelligence Group (GTIG) in June, warning companies in a detailed blog post that threat actors had been conducting social engineering and phishing attacks on Salesforce users since late 2024.
Attackers would impersonate IT support and trick employees into malicious Data Loader OAuth apps, disguised as “My Ticket Portal”. Once they were connected, the group would conduct a mass exfiltration of Salesforce data, which was then used in extortion attempts.
Speaking to BleepingComputer, ShinyHunters claim that they targeted Accounts and Contacts database tables, where the majority of customer data is stored.
It is understood that UNC6040 carried out the intrusions and stole Salesforce data, but the extortion demands were linked to the well-known ShinyHunters group. It’s not yet clear if ShinyHunters and UNC6040 are the same actors or collaborators, or if the hackers simply borrowed the ShinyHunters name to add weight to their threats.
UNC6395 emerged in August 2025, with the hackers compromising Salesloft’s Drift OAuth tokens and refresh tokens. Once the attackers obtained the stolen tokens, they were able to use them to log directly into Salesforce instances, bypassing normal authentication steps.
Their focus was on support case data, which often contains sensitive information like credentials, AWS keys, and Snowflake tokens. With this level of access, the attackers could potentially pivot into other cloud environments, expanding the scope of the breach beyond Salesforce itself.
In response, Salesloft and Salesforce worked together to revoke all compromised Drift tokens and required customers to reauthenticate.
By that time, however, numerous high-profile companies had already been impacted, including Cloudflare, Zscaler, Palo Alto Networks, Proofpoint, Rubrik, and CyberArk. The attackers also exploited Drift Email tokens to gain access to a small number of Google Workspace accounts.
It is understood that UNC6040 and UNC6395 carried out the intrusions and stole Salesforce data, but the extortion demands were linked to the well-known ShinyHunters group. It’s not yet clear if ShinyHunters and UNC6040 are the same actors or collaborators, or if the hackers simply borrowed the ShinyHunters name to add weight to their threats.
Hackers ‘Go Dark’ on Telegram
In a surprise twist, BleepingComputer says the threat actors behind this campaign announced that they would “go dark” and stop posting about their operations on Telegram.
The message appeared last Thursday on a domain tied to BreachForums, a well-known hub for cybercriminal activity. While the reasoning isn’t entirely clear, it may be an attempt to reduce visibility as law enforcement attention intensifies.
In their parting post, the hackers made bold claims, including that they had gained access to the FBI’s E-Check background check system and Google’s Law Enforcement Request system.
Screenshots were shared as supposed proof, though neither the FBI nor Google have confirmed the claims.
Whether this “exit” is genuine or just another rebrand remains to be seen. Historically, groups like ShinyHunters, Lapsus$, and Scattered Spider have re-emerged under new names, making it likely that we haven’t seen the last of them.
Final Thoughts
The situation is escalating, and the FBI’s involvement underscores just how serious these breaches are – and how far they may already have gone.
We must stress that this issue did not stem from a vulnerability within the core Salesforce platform. Even if you do not believe your data has been breached, now is always a good time to make sure – and audit your connected apps.
