FBI Warning Salesforce Attack | UNC6040 & UNC6395 Threats
The Federal Bureau of Investigation (FBI) has issued a high-priority cybersecurity warning about two criminal groups, UNC6040 and UNC6395 launching coordinated campaigns against Salesforce platforms.

This FBI Warning Salesforce Attack outlines a new wave of cyber intrusions that use OAuth tokens, a widely trusted authentication method, to gain unauthorized access to Salesforce data through third-party apps. Unlike traditional phishing or password-theft attacks, these incidents bypass multi-factor authentication (MFA) and appear legitimate to monitoring systems, making them especially dangerous.

Businesses of every size from healthcare practices to Fortune 500 firms must now reconsider how connected apps and OAuth tokens are managed inside their Salesforce environments.

FBI Warning Salesforce Attack | UNC6040 & UNC6395 Threats - Table of ContentsWho Are UNC6040 and UNC6395?UNC6040 – The Vishing Specialists
UNC6395 – The OAuth Token Exploiters
Why Salesforce Is a Prime Target
Technical Breakdown: How the Salesforce Attack WorksStep 1: Social Engineering or Token Theft
Step 2: OAuth Token Abuse
Step 3: Data Exfiltration
Step 4: Extortion & Monetization
Real-World Business Impact
Lessons Learned from the FBI Warning
How Businesses Can Protect Against Salesforce Attacks1. Audit All Connected Apps
2. Revoke and Rotate Tokens
3. Limit App Approval Authority
4. Strengthen Monitoring and Logging
5. Apply Network Controls
6. Train Staff Against Vishing
7. Adopt Zero-Trust Architecture
Industry-Specific Risks
How Zevonix Helps Protect Against Salesforce Attacks
Conclusion
Frequently Asked QuestionsWhat is the FBI Warning Salesforce Attack about?
How do hackers exploit OAuth tokens in Salesforce?
Who are UNC6040 and UNC6395 mentioned in the FBI warning?
What data can be stolen in the Salesforce attacks?
How can my business protect against the FBI Warning Salesforce Attack?

Who Are UNC6040 and UNC6395?

UNC6040 – The Vishing Specialists

UNC6040 has a history of using voice phishing (vishing), where attackers impersonate IT support over the phone. Victims are persuaded to install or authorize malicious Salesforce apps. Once approved, these apps exploit OAuth tokens to extract Salesforce records at scale.

- Past activity: UNC6040 has been tied to data theft campaigns against U.S. companies, often followed by extortion attempts.

- Tactics: They use modified Salesforce Data Loader tools or clone apps to appear trustworthy.

UNC6395 – The OAuth Token Exploiters

UNC6395 specializes in abusing third-party integrations. In 2025, they compromised tokens from the Salesloft–Drift app, allowing them to query Salesforce databases across hundreds of companies.

- Past activity: UNC6395 has connections to credential-harvesting operations targeting cloud platforms.

- Tactics: Rather than contacting users, they leverage compromised OAuth tokens to silently access Salesforce instances.

Both groups converge on the same endgame: data theft and extortion.

Why Salesforce Is a Prime Target

Salesforce is the world’s leading CRM platform, housing enormous amounts of sensitive data:

- Customer personally identifiable information (PII)

- Financial transactions and account histories

- Sales pipelines and strategic forecasts

- Integration credentials (AWS keys, Snowflake tokens, database access)

For attackers, this is a gold mine. Access to Salesforce isn’t just about stealing contacts — it’s about unlocking a treasure chest of business intelligence, financial data, and even cloud infrastructure credentials that can fuel larger breaches.

Technical Breakdown: How the Salesforce Attack Works

Step 1: Social Engineering or Token Theft

- UNC6040 uses vishing calls to trick employees into approving a malicious app.

- UNC6395 exploits existing OAuth tokens from third-party apps like Drift, bypassing employee interaction.

Step 2: OAuth Token Abuse

OAuth is designed to let apps connect securely without sharing usernames or passwords. But once an OAuth token is granted, it acts like a master key until revoked or expired.

Attackers use these tokens to:

- Send SOQL queries to extract Salesforce records.

- Exfiltrate entire datasets unnoticed.

- Generate new refresh tokens to maintain persistence.

Step 3: Data Exfiltration

Data is funneled out via Salesforce APIs, often disguised as legitimate traffic. Stolen records may include:

- Customer lists

- Contract details

- Cloud infrastructure credentials

- Authentication keys for other platforms

Step 4: Extortion & Monetization

After exfiltrating data, attackers often demand payment to prevent leaks or sell the information on dark web marketplaces.

This technical flow is why the FBI Warning Salesforce Attack has raised such alarm — attackers aren’t breaking in through the front door, they’re walking through trusted side doors.

Real-World Business Impact

The fallout from these Salesforce attacks goes far beyond technical inconvenience:

- Regulatory Penalties

- Healthcare firms face HIPAA violations.

- Financial companies risk SOX and PCI-DSS noncompliance.

- Global businesses may trigger GDPR fines.

- Reputation DamageCustomers who learn their information was exposed lose trust quickly, and competitors may seize the opportunity.

- Financial Losses

- Direct costs: forensic investigations, incident response teams, extortion payments.

- Indirect costs: lost sales, churned clients, stock value decline.

- Operational DisruptionWhen attackers exfiltrate API keys or system credentials, businesses may lose access to cloud platforms or face cascading outages.

- Extortion PressureGroups like UNC6040 and UNC6395 sometimes pose as high-profile data leak groups (e.g., ShinyHunters), magnifying fear and urgency.

Lessons Learned from the FBI Warning

The key lesson of this Salesforce attack warning is that trust can be weaponized. OAuth tokens, third-party integrations, and connected apps — once considered safe — are now attack surfaces.

This warning pushes businesses toward a zero-trust mindset, where every app, token, and permission must be continuously scrutinized.

How Businesses Can Protect Against Salesforce Attacks

1. Audit All Connected Apps

- Review every Salesforce app authorized in your environment.

- Remove unnecessary apps or reduce permissions to the bare minimum.

2. Revoke and Rotate Tokens

- If a third-party integration like Drift or Salesloft was affected, revoke all tokens immediately.

- Rotate any credentials potentially exposed in Salesforce datasets.

3. Limit App Approval Authority

- Restrict who can install or approve new apps.

- Establish internal review processes before authorization.

4. Strengthen Monitoring and Logging

- Use Salesforce Event Monitoring to track API calls and SOQL queries.

- Watch for unusual export volumes or jobs created outside of normal business hours.

5. Apply Network Controls

- Limit Salesforce access to trusted IP ranges.

- Block TOR or suspicious VPN traffic.

6. Train Staff Against Vishing

- Provide employees with scripts to verify IT requests.

- Regularly test teams with simulated phishing/vishing calls.

7. Adopt Zero-Trust Architecture

- Treat OAuth tokens like privileged credentials.

- Implement continuous verification of permissions and user behavior.

Industry-Specific Risks

Different industries face unique risks from the FBI Warning Salesforce Attack:

- Healthcare: Exposed Salesforce data could mean HIPAA penalties and massive loss of patient trust.

- Financial Services: Stolen Salesforce data may reveal sensitive financial accounts or investment strategies.

- Legal Firms: Compromised case records could devastate client confidentiality.

- Nonprofits: Donor lists and funding details could be exfiltrated, undermining donor confidence.

For all industries, the message is the same: Salesforce is now a high-value target.

How Zevonix Helps Protect Against Salesforce Attacks

At Zevonix, we integrate Salesforce security into our Six-Step Pathway to Smarter IT:

- Discovery & Strategy – Identify all connected apps and map data flows.

- Tailored IT Solutions – Deploy OAuth security policies and monitoring.

- Implementation & Deployment – Configure Salesforce with principle-of-least-privilege access.

- Security Fortification – Apply zero-trust safeguards across SaaS environments.

- Ongoing Support & Optimization – Continuous audits of connected apps and tokens.

- Growth & Innovation – Ensure Salesforce remains a growth enabler, not a liability.

This pathway ensures your Salesforce data is protected against evolving threats like UNC6040 and UNC6395.

Conclusion

The FBI Warning Salesforce Attack is more than just another alert, it’s a signal that OAuth token abuse and trusted integrations have become prime attack vectors. Groups like UNC6040 and UNC6395 are exploiting gaps in app governance to steal data, extort businesses, and cause widespread disruption.

For businesses, the path forward is clear: audit connected apps, revoke compromised tokens, monitor activity closely, train employees, and adopt a zero-trust mindset.

At Zevonix, we help organizations navigate these exact challenges through our comprehensive cybersecurity services. Protect your Salesforce environment today, because attackers aren’t waiting until tomorrow.

📞 Call us at 904.658.0777🔒 Book Your meeting with Zevonix »

Frequently Asked Questions

What is the FBI Warning Salesforce Attack about?The FBI Warning Salesforce Attack refers to cybercriminal groups UNC6040 and UNC6395 targeting Salesforce platforms. They exploit OAuth tokens from third-party apps to steal sensitive data and demand extortion payments.How do hackers exploit OAuth tokens in Salesforce?Attackers trick users into approving malicious connected apps or abuse stolen OAuth tokens from integrations. These tokens act like master keys, giving them access to Salesforce data without needing passwords or MFA.Who are UNC6040 and UNC6395 mentioned in the FBI warning?UNC6040 is known for vishing attacks that impersonate IT staff, while UNC6395 exploits OAuth tokens from third-party tools like Drift and Salesloft. Both groups use these methods to infiltrate Salesforce and steal business data.What data can be stolen in the Salesforce attacks?The FBI warning highlights that customer records, financial details, contracts, and even cloud service credentials (like AWS or Snowflake keys) can be stolen during these Salesforce attacks.How can my business protect against the FBI Warning Salesforce Attack?You can protect against these attacks by auditing connected apps, revoking unused tokens, restricting who can authorize apps, enabling Salesforce monitoring, and training employees to recognize vishing attempts. https://zevonix.com/fbi-warning-salesforce-attack-unc6040-unc6395-threats/

Comments

Post a Comment

Popular posts from this blog

Image
Did you know there is one overlooked IT policy that could save your business from disaster? It is the difference between business as usual and a full-blown disaster. And if you're a small to mid-sized business in Palm Coast, Daytona Beach, St. Augustine, or Jacksonville, the risks are even greater. Why? Because cybercriminals are betting on the fact that you don’t have this policy in place. Whether you’re managing a healthcare clinic, a law office, or a retail operation, the truth is stark: you are a target. And what makes it worse is that the vast majority of businesses have no idea how vulnerable they truly are until it’s too late. So what’s the one IT policy you must have to protect your business? There's One IT Policy That Could Save Your Business From Disaster - Table of ContentsThe Policy: Mandatory Cybersecurity Training and Access Management What Happens If You Don’t Have This Policy? The SMB Attack Surface Is Growing What Should the IT Policy Include?1. Cybersecurity A...
Read more
Image
Your IT infrastructure is the backbone of your business. If it’s weak, your entire operation is at risk. Cyber threats, system failures, and data breaches can cripple a business overnight. The good news? You can build a bulletproof IT infrastructure that stands strong against these risks. In this article, we will explore five proven strategies to create a resilient and secure IT environment with the help of Zevonix. 5 Ways to Make Your IT Infrastructure Bulletproof - Table of Contents1. Implement Robust Cybersecurity Measures 2. Invest in Reliable Cloud Solutions 3. Strengthen Network Infrastructure 4. Automate IT Monitoring and Management 5. Develop a Comprehensive Disaster Recovery Plan Conclusion 1. Implement Robust Cybersecurity Measures Cyberattacks are evolving every day. Without the right security in place, your data and systems are vulnerable. Here’s how to fortify your IT infrastructure: - Use Multi-Factor Authentication (MFA): Adding an extra layer of security pr...
Read more
Image
Google Ads Data Breach — In a startling revelation, Google has confirmed a major security incident affecting approximately 2.5 million records tied to its Google Ads platform. The breach, detected in June 2025, targeted one of Google’s corporate Salesforce instances and was carried out by the notorious cybercriminal group UNC6040, also known as ShinyHunters. Google Ads Data Breach: 2.5 Million Records Exposed in Sophisticated Cyberattack - Table of ContentsWhat Happened? Who’s Behind the Attack? Extortion Attempts and Fallout Lessons for Businesses How Zevonix Helps Local Businesses Avoid Similar Threats Why Local Businesses Should Act Now What Happened? The attackers used advanced voice phishing (vishing) tactics to deceive Google employees into authorizing a malicious connected app. This app, a modified version of Salesforce’s Data Loader, allowed the hackers to exfiltrate sensitive business data. The stolen information includes: - Business names - Contact details (emails, phone numb...
Read more