Salesforce has long been a cornerstone for many businesses’ customer relation, sales, and service infrastructure. But in recent months, the platform has become a prime target for sophisticated threat actors. The FBI has issued urgent alerts warning Salesforce users of new campaigns aimed at stealing data and extorting organizations via compromised Salesforce instances.
If your organization uses Salesforce—or integrates third-party tools with it—you should pay close attention. This blog unpacks what is happening, why it matters, and how you can defend yourself.
Table of Contents
What’s Going On: Threat Actors Targeting Salesforce
The FBI’s Alert & Two Major Threat Groups
On September 12, 2025, the FBI’s Internet Crime Complaint Center (IC3) released a FLASH advisory describing malicious campaigns targeting Salesforce user environments. [1]
The advisory names two threat actor clusters:
- UNC6040
- UNC6395
These groups are actively targeting Salesforce instances through different vectors—social engineering and compromised application integrations.
While Salesforce itself is not confirmed to have been directly hacked via a platform vulnerability, the attacks exploit the access paths around integrations, APIs, and user trust.
Attack Methods in Use
1. Voice Phishing (Vishing) & Social Engineering
UNC6040 has been observed using voice-based social engineering to trick support or help-desk staff. The attackers pose as IT or connectivity support, referencing “auto-generated tickets,” and request that the staff perform steps that grant them elevated access or credentials.
Typical tactics include:
- Asking employees to visit the Salesforce “connected apps” settings page
- Coaxing approval of a malicious connected app
- Requesting Multi-Factor Authentication (MFA) codes
- Deploying a modified version of Salesforce’s Data Loader tool to exfiltrate data
These techniques can bypass conventional security measures like password resets or login monitoring, because the malicious app operates with an authorized OAuth token.
2. Compromised OAuth Tokens via Third-Party Tools
UNC6395 has used a different approach: infiltrating the Salesforce ecosystem by abusing compromised OAuth tokens tied to a third-party tool—Salesloft’s Drift chatbot.
In August 2025, threat actors used stolen OAuth tokens from the Drift integration to access Salesforce environments and siphon data. In response, Salesloft revoked all active and refresh tokens tied to Drift integrations.
Though that particular entry point was closed, the existence of a supply-chain or integration-based threat underscores a larger systemic weakness—any third-party app or integration is a potential attack vector.
3. Extortion After Data Exfiltration
Victims of both UNC6040 and UNC6395 have received extortion demands—usually in cryptocurrency—threatening public release of stolen data. In some cases, the threats arrive days or months after the breach.
Some of these extortion claims are associated with a group known as ShinyHunters or “ShinyHunters / Scattered Spider collaborations.”
Why Salesforce Users Are Being Targeted
Several factors make Salesforce a rich target for threat actors:
- Data concentration: Salesforce holds vast repositories of customer data, sales records, integration tokens, support tickets, and sensitive contacts.
- Trust in integrations: Because many organizations routinely authorize connected apps or integrate with third-party tools, malicious OAuth tokens may not trigger suspicion.
- Bypassing conventional controls: When attackers gain OAuth tokens or are authorized as “trusted apps,” they can often bypass MFA, login-rate-limits, or password-change defenses.
- Supply-chain risk: As seen via Salesloft’s Drift app, a compromise in a third-party system can cascade into Salesforce environments.
- Profit from extortion: Once data is stolen, it can be monetized through ransom, resale, or reputational harm.
The Fallout: Risks for Organizations
The consequences of a successful breach can be severe:
- Data leak / public exposure of sensitive customer or internal information
- Regulatory penalties under privacy/data protection laws (GDPR, CCPA, HIPAA, etc.)
- Brand & reputational damage among customers, partners, and prospects
- Legal liability or class-action suits depending on loss severity
- Operational disruption as security teams scramble to remediate
- Loss of competitive edge or IP if strategic data is stolen
For sectors like healthcare, finance, or retail—where Salesforce is entrenched in workflows— the impact is magnified. The American Hospital Association (AHA) has flagged the alert, especially since many hospitals use Salesforce Health Cloud.
How to Defend Your Salesforce Environment
Here are recommended mitigations, derived from the FBI’s advisory and leading security practices:
1. Train & Empower Help Desk and Support Staff
- Educate staff about vishing and social engineering signs (e.g., urgent voice calls claiming system problems).
- Establish strict verification protocols for any requests involving credential sharing or system changes.
- Encourage staff to escalate suspicious calls or requests, even if they appear plausible.
2. Use Phishing-Resistant Multi-Factor Authentication
- Deploy MFA methods that resist common phishing attacks (for example, hardware tokens, FIDO2, etc.).
- Avoid relying solely on SMS-based 2FA, which is more easily intercepted.
- Require MFA on all privileged administrative accounts and integration management users.
3. Adhere to Principle of Least Privilege & Access Controls
- Audit user and app permissions regularly.
- Limit who can authorize connected apps or manage OAuth tokens.
- Use role-based access and only grant necessary rights.
4. Monitor & Review Activity Logs
- Continuously monitor API usage, admin events, and data export logs for anomalies.
- Watch for bulk data queries, especially from new or rarely used accounts.
- Scrutinize browser, session, and network logs for suspicious behavior.
5. Control & Vet Third-Party Integrations
- Take inventory of all connected apps and integrations to Salesforce.
- Conduct security reviews before authorizing any third-party app.
- Periodically rotate API keys, tokens, and OAuth credentials.
- Revoke or disable unused integrations.
6. Implement IP-Based Access Restrictions
- Force logins or administrative operations to originate from trusted IP ranges.
- Reject or challenge access from unknown or risky geolocations.
- Pair IP restrictions with other authentication measures.
7. Prepare Incident Response & Forensics Readiness
- Retain logs and audit trails for retrospective analysis.
- Have procedures to revoke tokens, disable access, or freeze suspect accounts.
- Be ready to notify stakeholders and law enforcement under applicable policies.
8. Consume & Leverage Indicator Data
- The FBI’s advisory includes Indicators of Compromise (IOCs)—IP addresses, domains, user-agent strings associated with UNC6040 and UNC6395.
- Integrate IOCs into your SIEM, threat-hunting workflows, or intrusion detection systems.
- But don’t rely purely on static IOCs—attackers adapt fast. Use behavioral detection as well.
Real-World Examples & Notable Cases
- In earlier 2025, Google’s Threat Intelligence Group publicly disclosed that UNC6040 attackers abused a modified version of Salesforce’s Data Loader by tricking employees into installing it via voice phishing.
- A host of high-profile organizations (including tech firms, security vendors, and enterprises) have reportedly been affected through the Salesloft Drift token compromise.
- Companies have also reported that after a compromise, extortion emails arrived under the name ShinyHunters or related shady hacking groups demanding payment to avoid data leaks.
Conclusion: Stay Alert, Assume Risk, Act Proactively
The FBI’s warning is a stark reminder that even mature cloud systems like Salesforce aren’t immune—attackers are evolving their techniques, especially by exploiting social engineering and integration vulnerabilities.
Source:
https://www.ic3.gov/CSA/2025/250912.pdf
https://www.cybersecuritydive.com/news/fbi-warns-campaigns-salesforce-instances/760129/
https://www.darkreading.com/cyberattacks-data-breaches/fbi-warns-threat-actors-salesforce-customers
https://www.cxtoday.com/crm/the-fbi-warns-salesforce-customers-of-increasing-cyber-attacks/
https://www.darkreading.com/cyberattacks-data-breaches/fbi-warns-threat-actors-salesforce-customers
https://www.healthcarefinancenews.com/news/aha-fbi-warn-cyberattacks-salesforce-customers
