The US Federal Bureau of Investigation (FBI) has issued an alert warning organizations of ongoing cyberattacks targeting Salesforce environments by two threat clusters, tracked as UNC6040 and UNC6395. The groups are behind a surge in data theft and extortion campaigns aimed at major corporations worldwide.
According to the FBI advisory, the groups use separate methods to gain unauthorized access to corporate Salesforce platforms, stealing sensitive data later leveraged in extortion schemes. The agency has released indicators of compromise (IOCs) to help organizations defend their networks and identify breaches.
UNC6040, first disclosed by Google’s Mandiant unit in June 2025, has been active since late 2024. The group primarily uses social engineering and vishing tactics to trick employees into authorizing malicious OAuth applications (often disguised as IT tools like "My Ticket Portal") into connecting with Salesforce accounts via Salesforce Data Loader. Once access is granted, the threat actors exfiltrate vast amounts of corporate data. The stolen data has been used in extortion efforts attributed to the well-known ShinyHunters cybercrime group.
The list of victims include multiple high-profile organizations such as Google, Adidas, Qantas, Allianz Life, Cisco, Louis Vuitton, Dior, Tiffany & Co., and others.
A second wave of attacks, tracked as UNC6395, occurred between August 8 and 18. It involved the use of stolen OAuth and refresh tokens from Salesloft's Drift integration. The tokens allowed unauthorized access to customer Salesforce instances, particularly targeting sensitive support case data.
The attackers extracted secrets, passwords, AWS keys, and authentication tokens embedded in support conversations. The UNC6395 attack was traced back to a compromise of Salesloft’s GitHub repositories in March, leading to the theft of Drift OAuth tokens. Drift Email tokens were also stolen, allowing access to some Google Workspace accounts.
In response, Salesloft and Salesforce revoked the compromised tokens and required customers to reauthenticate.
The list of affected companies in the UNC6395 campaign includes many major cybersecurity vendors with Cloudflare, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks, and Palo Alto Networks among those impacted.
The FBI is urging all organizations using Salesforce or Salesloft integrations to review the released IOCs, audit connected OAuth applications, and tighten access controls as soon as possible.