The FBI has issued a FLASH alert warning of new data theft and extortion campaigns aimed at Salesforce users. Investigators say two cybercriminal groups are breaking into Salesforce instances through social engineering schemes and compromised third-party app tokens, then siphoning customer data to pressure victims for payment.
Salesforce has become a bull’s-eye for attackers because it holds exactly what criminals want: troves of sensitive customer information. With so many organizations relying on the platform to run sales and support operations, a breach can quickly escalate from a single compromised account to an enterprise-wide crisis.
Who’s Behind the Campaigns
Two criminal groups are driving the recent Salesforce intrusions. UNC6040 favors social-engineering attacks—mostly voice phishing—targeting call-center and support staff to steal credentials or trick employees into approving risky actions. Some of its victims later received extortion notes allegedly from ShinyHunters, demanding cryptocurrency and threatening to publish stolen data.
UNC6395 has taken a different tack: the group exploited compromised OAuth tokens tied to Salesloft’s Drift chatbot integration. That access let them query Salesforce environments directly until Salesloft and Salesforce revoked all Drift tokens to cut off the abuse.
How the Attacks Unfold
UNC6040’s vishing calls target call-center and help-desk staff, tricking them into sharing credentials or performing actions that grant access to Salesforce. During calls, the actors will direct victims to click links from their phones or work machines and follow step-by-step prompts—classic social engineering designed to shorten the thinking time between instruction and consent.
Once inside, the actors coax admins or privileged users to approve a connected app. In some cases, this has been a malicious app disguised as My Ticket Portal. Approving the app issues OAuth tokens that let it query and extract data as if it were a trusted integration. Because the tokens come from Salesforce itself, this activity can look like legitimate app behavior and bypass controls such as MFA, routine password resets, and simple login monitoring.
For bulk theft, attackers favor API calls and tools that pull large volumes of records quickly. The FBI observed threat actors using API queries and even instructing victims to add what appears to be Salesforce’s Data Loader—sometimes a modified version—to speed mass exfiltration.
The Fallout for Organizations
These campaigns highlight how SaaS platforms are becoming high-value targets. Attackers no longer need to break into on-prem servers when they can trick their way into a company’s Salesforce tenant and walk off with a customer database.
The stakes are obvious. Customer records, deal pipelines, and support histories are all sensitive data that can be sold, leaked, or used as leverage. Once stolen, that information fuels extortion attempts—pay us or watch your customer data appear on dark-web forums.
Beyond the immediate loss of data, organizations face long-tail risks. A public leak can trigger regulatory scrutiny under data-protection laws, lawsuits from customers, and lasting reputational damage. Rebuilding trust after a Salesforce breach can mean years of explaining to clients why their data ended up in someone else’s hands.
What Security Teams Should Do Now
The FBI’s FLASH includes a long list of indicators of compromise, including IP addresses, domains, and user-agent strings tied to these campaigns. Security teams should pull those into threat-hunting workflows, but that’s only the starting point. Indicators shift quickly, but the underlying tactics will stick around longer.
Defending Salesforce and similar platforms comes down to visibility and control. Organizations need clear insight into which third-party apps are connected, which tokens are active, and who has administrative privileges. Rotating keys and pruning integrations that aren’t necessary cuts down the surface area attackers can abuse. Applying least-privilege rules to accounts—human and non-human—helps contain damage when one is tricked or compromised.
Training employees, particularly call-center and support staff, is just as important. Vishing works because someone on the line believes the caller is who they say they are. Giving staff simple scripts for verifying IT requests and safe ways to escalate suspicious calls can blunt those attacks before credentials are given up.
Finally, continuous monitoring of Salesforce activity is essential. Unusual API queries, sudden spikes in record downloads, or OAuth approvals outside normal patterns should trigger alerts. With so much sensitive data in play, anomaly detection is often the only thing standing between early detection and a ransom note.
“The IOCs provided by the FBI are a valuable head start for defenders to detect hidden misuse, but they’re only part of the picture,” said Randolph Barr, Chief Information Security Officer at Cequence Security. “What’s needed going forward is a shift in security mindset from looking only for anomalies in network traffic or file signatures, to questioning whether a system’s behavior still aligns with its intended business function.”
SaaS Is the New Front Line
The FBI is urging organizations to get ahead of these campaigns by tightening defenses now. That means treating SaaS environments with the same seriousness as on-prem infrastructure—auditing integrations, locking down access, and training the people who use these platforms every day.
The broader lesson is that Salesforce isn’t an outlier. Any SaaS platform that centralizes customer or business data is a tempting target. Attackers will continue to probe for weak spots, whether through a phone call to a help desk or a hijacked OAuth token from a third-party app.
To keep pace, organizations need to shift toward stronger identity controls and data-centric protections. That means phishing-resistant MFA, least-privilege access, and continuous monitoring of data flows. The goal isn’t just to keep attackers out, but to limit what they can do if they get in. SaaS has become the new front line and treating it that way is the only path to staying ahead.
