FBI Warns of Threat Actors Hitting Salesforce Customers
Summary
The FBI’s Internet Crime Complaint Center (IC3) has issued an advisory about two threat actors — UNC6040 (aka ShinyHunters) and UNC6395 — targeting Salesforce customers to steal data and extort organisations. UNC6040 uses social engineering and vishing to trick call centre staff into handing over credentials or authorising malicious apps, while UNC6395 has abused stolen OAuth tokens (notably from Salesloft’s Drift integration) to access hundreds of Salesforce instances earlier this year.
Key Points
- Two distinct threat actors (UNC6040/ShinyHunters and UNC6395) are targeting Salesforce customers for data theft and extortion.
- UNC6040 employs vishing and impersonation of IT support to obtain credentials, MFA, or to get staff to authorise malicious apps.
- Adversaries create malicious apps via Salesforce trial accounts (often modified Data Loader) to exfiltrate large volumes of data while bypassing normal authentication.
- UNC6395 compromised OAuth tokens from Salesloft’s Drift app to access Salesforce-connected environments; Salesloft and Salesforce revoked those tokens in August.
- The FBI recommends defensive steps: train call centre staff, require phishing-resistant MFA, enforce AAA controls, use IP-based restrictions, monitor logs/browser activity and review third-party integrations.
- The advisory includes indicators of compromise (IP addresses and URLs) to help detect related activity.
Content Summary
Since October 2024, UNC6040 has used voice phishing to pose as IT support calling call centre staff with fabricated enterprise connectivity issues. Under the pretext of closing tickets, attackers convince employees to reveal credentials, MFA codes, visit phishing pages, or authorise malicious applications. These apps — created using Salesforce trial accounts — can behave like modified versions of Salesforce’s Data Loader and enable mass data exfiltration while evading some authentication checks.
UNC6395’s activity involved theft of OAuth tokens from Salesloft’s Drift integration to access Salesforce data. Salesloft, with Salesforce, revoked affected tokens in August and re-enabled other integrations except Drift. Salesforce stresses these campaigns exploit people and integrations rather than a platform vulnerability.
Context and Relevance
Punchy: This advisory matters now — if your organisation uses Salesforce or third-party integrations (Salesloft, Drift or similar), you are in the crosshairs. These attacks combine classic social engineering with abuse of authorized integrations, showing attackers prefer low-tech human manipulation to high-tech zero-days. The risk surface includes call centres, trial app registration, OAuth tokens and any third-party connector that can be authorised.
For security teams, this is a timely reminder to treat integrations and support workflows as first-class security risks: tighten approval flows, verify any out-of-band requests with established channels, and scan for unusual API/data-extraction activity.
Why should I read this
Short version — if you run Salesforce or manage security, read this. Attackers are using phone scams and stolen tokens to get data out without fancy exploits. It’s the sort of thing that slips past perimeter checks because people and authorised apps are being abused. The article gives the quick how and the FBI’s mitigation checklist so you can patch your processes fast.