The FBI has warned of Salesforce data theft and extortion campaigns in 2025. There have been FLASH alert warnings issued about two threat clusters, UNC6040 and UNC6395, compromising Salesforce environments. These cybercriminal groups target organisations to steal Salesforce data and extort victims.
The FBI shared Indicators of Compromise (IOCs), including;
- User agent strings
- IP addresses
- Malicious URLs
How UNC6040 Targets Salesforce Data
UNC6040 was first revealed by Google Threat Intelligence (Mandiant) in June 2025. Since late 2024, the group has used social engineering and vishing attacks to trick employees into connecting malicious OAuth apps. The attackers impersonated IT support and distributed altered Salesforce Data Loader apps, often named “My Ticket Portal.” Once connected, they used these OAuth applications to mass-exfiltrate Salesforce data, later handed to the extortion group ShinyHunters.
What Salesforce Data Was Stolen?
ShinyHunters admitted they primarily targeted “Accounts” and “Contacts” database tables containing sensitive customer data. Victims included major global organisations such as;
- Adidas
- Qantas
- Allianz Life
- Cisco
- Kering
- Louis Vuitton
- Dior and;
- Tiffany & Co.
UNC6395 and OAuth Token Exploitation
In August 2025, UNC6395 launched new Salesforce attacks using stolen Salesloft Drift OAuth and refresh tokens. These tokens allowed access to Salesforce customer support case data between August 8th and 18th. The stolen information included secrets, credentials, and authentication tokens from cases—such as AWS keys, Snowflake tokens, and passwords. Attackers then pivoted to other cloud environments for further data theft and extortion.
How Did the Salesforce Attack Originate?
Mandiant discovered that the Salesforce attack began in March 2025 with a breach of Salesloft’s GitHub repositories. This breach allowed attackers to steal Drift OAuth tokens, setting the stage for widespread Salesforce intrusions.
Companies Impacted by Salesforce Data Breaches
The campaign affected many high-profile companies, including:
- Cloudflare
- Zscaler
- Tenable
- CyberArk
- Elastic
- BeyondTrust
- Proofpoint
- JFrog
- Nutanix
- Qualys
- Rubrik
- Cato Networks
- Palo Alto Networks
These incidents highlight how OAuth token compromises are now central to cloud security risks.
Were ShinyHunters Behind the Salesforce Attacks?
While the FBI did not name the groups behind the attacks, ShinyHunters claimed responsibility. They also claimed overlap with Lapsus$, Scattered Spider, and other extortion groups. This reflects a growing convergence of cyber extortion gangs.
Hackers Claim Access to Sensitive FBI and Google Systems
In a parting message, the hackers claimed to have compromised:
- The FBI’s E-Check background check system
- Google’s Law Enforcement Request system
Screenshots were posted as proof, though authenticity remains unconfirmed. If true, such access could allow impersonation of law enforcement and extraction of sensitive individual records. The FBI declined to comment, and Google did not respond to media inquiries.
Key Takeaways for Cybersecurity Defenders
These campaigns show that:
- Salesforce environments are high-value targets for data theft.
- OAuth token security is critical in preventing unauthorised access.
- Social engineering and vishing attacks remain effective entry points.
- Extortion groups are increasingly collaborating across clusters.
Organisations should monitor for FBI-provided IOCs, enforce strict OAuth controls, and train staff to detect social engineering threats.
