The FBI has shared indicators of compromise (IoCs) associated with two malicious campaigns targeting Salesforce customers for data theft and extortion.
The first campaign, attributed to a threat actor tracked as UNC6040 and ongoing for several months, relies on voice phishing (vishing) to convince employees at the victim organizations to grant them access to the Salesforce instance or to share credentials for the portal.
In some cases, the attackers guide the employee to approve a modified Salesforce Data Loader application variant that grants them access to the data stored in the Salesforce instance.
“UNC6040 threat actors have utilized phishing panels, directing victims to visit from their mobile phones or work computers during the social engineering calls. After obtaining access, UNC6040 threat actors have then used API queries to exfiltrate large volumes of data in bulk,” the FBI notes in its alert (PDF).
After stealing the data, the cybercriminals send extortion demands to the victim organizations, threatening to release the information publicly unless a ransom is paid in cryptocurrency.
Salesforce warned of this type of attacks in March, roughly three months before Google said that, in some instances, UNC6040 was seen moving laterally to other platforms, such as Microsoft 365, Okta, and Workplace.
UNC6040 has claimed affiliation with the infamous ShinyHunters extortion group, which appears linked to the Scattered Spider hackers.
The second malicious operation the FBI warns about is the recent widespread Salesforce-Salesloft data theft campaign that hit over 700 organizations through the integration with the Drift AI chatbot, and which has been attributed to a threat actor tracked as UNC6395.
As part of the attack, hackers used compromised OAuth tokens for Drift to access the Salesforce instances and steal large amounts of data. The hackers exfiltrated the tokens from Drift’s AWS instance, after having access to Salesloft’s GitHub account between March and June 2025.
Over a dozen cybersecurity firms have disclosed data breaches linked to the attack, with HackerOne and Qualys being the latest to confirm the impact.
In addition to publishing IoCs associated with these campaigns, the FBI is recommending that organizations implement phishing-resistant multi-factor authentication (MFA), train their call center on phishing, implement authentication, authorization, and accounting (AAA) systems, enforce IP-based access restrictions, monitor logs, and review third-party integrations.
“The FBI recommends organizations investigate and vet indicators prior to taking action, such as blocking,” the agency notes.
Related: US Government Is Investigating Messages Impersonating Trump’s Chief of Staff, Susie Wiles
Related: West Virginia Credit Union Notifying 187,000 People Impacted by 2023 Data Breach
Related: New ‘SmartAttack’ Steals Air-Gapped Data Using Smartwatches
Related: Russian Hacker Gets 12 Years in Massive Data Theft Scheme
