UNC6040 And UNC6395 Threat Actors Stealing Salesforce Data

On 12 September 2025, the U.S. Federal Bureau of Investigation (FBI) issued a FLASH Advisory, FLASH‐20250912, describing two cyber criminal threat clusters, UNC6040 and UNC6395, that have compromised Salesforce environments to steal data and extort companies.

The advisory provides indicators of compromise (IOCs) such as malicious IP addresses, URLs, user‐agent strings, and other artifacts that defenders can use to detect and mitigate these intrusions. While those details are beyond the scope of this article, the information can make the difference when defending against these specific threats.

UNC6040 and UNC6395 each use different means to gain initial access to Salesforce instances. UNC6040 leverages social engineering, notably voice phishing or "vishing", to trick users into installing or authorizing malicious connected applications, often masquerading as legitimate tools. UNC6395 abuses compromised OAuth tokens, typically from third‐party integrations, to access Salesforce platforms.

The warning emphasizes the rising number of extortion intrusions, in which data stolen from Salesforce is later used to threaten publication or other harm unless a ransom is paid, generally in cryptocurrency, the cybercriminals' favorite payment method.

The activity of UNC6040 and UNC6395 came into public view in mid-2025, although some attacks date back to late 2024. Google Threat Intelligence first reported on UNC6040 in June 2025. In its earliest noted operations, UNC6040 used social engineering and vishing to persuade employees to install malicious versions of Salesforce's Data Loader via OAuth-connected apps, impersonating IT staff.

UNC6395 emerged somewhat later. In August 2025, threat actors exploited OAuth and refresh tokens tied to the Salesloft Drift application to gain access and extract data from customer support case information stored in Salesforce.

These attacks affected high-profile organizations across many sectors. Victims include Google itself, global fashion houses such as Dior, Louis Vuitton, and Adidas, tech firms, and various companies relying on Salesforce for customer relationship management and support functions.

Following detection of these attacks, some remedial actions occurred: for example, Salesloft worked with Salesforce to revoke all Drift-related tokens and force re-authentication for customers; Google and others conducted impact analyses and notified potentially affected parties.

Technical Analysis of the Attacks

Both UNC6040 and UNC6395 rely on Salesforce's connected app / OAuth mechanisms. UNC6040 tricked users into authorizing malicious connected apps (often a modified Data Loader tool) so that the threat actor could query and export large datasets. Because the app is authorized via OAuth, many traditional defenses (login alerts, MFA, password resets) become less effective, and activity looks legitimate as far as many systems are concerned.

UNC6395 used stolen OAuth tokens from a compromised third-party application integration (Salesloft's Drift). Once those tokens were misused, attackers accessed support case data and extracted sensitive secrets. These include credentials, authentication tokens, AWS keys, Snowflake tokens, and other similar third-party authentication secrets.

UNC6040 frequently exfiltrated data immediately following access. Attackers used connected apps or modified Data Loader tools to run API queries, pull down large volumes of data, and, in some cases, move laterally to other services such as Microsoft 365 or Okta.

In many cases, they did not demand ransom until some time later; in some cases, there was a months-long delay between theft and extortion. The extortion demands typically invoke the ShinyHunters brand. Whether ShinyHunters directly performed the breach is not certain; however, this can be a tactic to increase pressure.

UNC6395 similarly moved to exfiltrate data via compromised third-party tokens. In some attacks, the content stolen includes support ticket information, which often contains sensitive credentials or secrets.

The attacks often bypass standard login defenses by abusing OAuth and connected app permissions rather than directly compromising user passwords or exploiting platform vulnerabilities. Salesforce stated that these attacks exploit gaps in user behavior and process rather than flaws in its core system.

Organizations using Salesforce, and more broadly, cloud applications and CRMs, must adopt layered defense strategies. Salesforce and law enforcement recommendations converge on several best practices.

The FBI advisory includes several mitigations, including:

• Training call center and customer support employees to respond appropriately to phishing and vishing.
• Requiring phishing-resistant MFA wherever possible.
• Enforcing least privilege policies in access-controlled environments, limiting what actions users and connected apps can perform.
• Enforcing IP-based access restrictions and monitoring API usage for anomalies.
• Monitoring network logs and browser session activity for signs of exfiltration or unauthorized app behavior.

The FBI's warning about UNC6040 and UNC6395 underscores a troubling shift in how attackers breach Salesforce environments: instead of exploiting software vulnerabilities, they increasingly exploit people, trust, and insufficiently restricted application integrations. UNC6040 primarily uses vishing and social engineering to deploy malicious connected apps, while UNC6395 leverages stolen OAuth tokens from legitimate integrations. Attackers exfiltrate data and eventually extort victims.

Organizations must assume that prevention begins with awareness and proper control settings, and that detection and response are equally vital. Companies can significantly reduce risk by applying least privilege, enforcing strong MFA, governing connected apps, restricting IPs, monitoring for anomalous activity, and preparing response plans. As threat actors evolve and refine their tactics, defenders must do the same.