Salesforce Storm looming: UNC6040 & UNC6395 Data Heist Lightning 

A perfect storm has erupted in the SaaS world. The FBI has issued warnings that Salesforce, the global leader in customer relationship management (CRM), has become the target of two distinct yet overlapping campaigns carried out by UNC6040 and UNC6395. Both groups used completely different access methods, showing how attackers adapt quickly to exploit weaknesses in software supply chains. Their simultaneous strikes highlight a growing truth: SaaS, once celebrated as secure and resilient, is now a prime target for espionage, fraud, and extortion. These incidents underscore not just technical vulnerabilities but also the fragility of trust in digital business platforms.

Phase 1: Clouds gather – Salesforce users under fire 

The victims extend far beyond a single company. Global Salesforce tenants—organizations that rely daily on the platform to manage customers, track sales, and run operations—found themselves in the storm’s path. Especially hard hit was Salesloft’s Drift AI chatbot integration, which had to be taken offline after compromised OAuth tokens were discovered. For executives, sales teams, and customer support staff, the breach meant exposure of records, credentials, and business-sensitive data. In today’s enterprises, CRM is not just a tool but the backbone of revenue generation, making Salesforce an irresistible target.

Phase 2: UNC6395 – OAuth token exploitation after GitHub breach 

UNC6395 showed the danger of trust-based authentication. Their path began with the Salesloft GitHub breach, where sensitive OAuth tokens tied to Drift were stolen. These tokens allowed attackers to bypass normal authentication and act as legitimate integrations within Salesforce. By exploiting OAuth, they gained stealthy access without triggering alarms, impersonating trusted processes to siphon data. Drift was forced offline as tokens were revoked, but by that point, customer data, system credentials, configuration details, and sales pipelines were already compromised. This phase illustrates how attackers increasingly exploit integration trust relationships rather than brute-forcing entry.

Phase 3: UNC6040 – Vishing and modified Data Loader 

While UNC6395 moved through GitHub and OAuth, UNC6040 chose a more human-centered path. Active since 2024, the group specialized in vishing calls—fraudulent phone calls aimed at employees to extract login credentials. Once armed with these, they infiltrated Salesforce portals and unleashed a modified Data Loader tool alongside custom Python scripts. This enabled massive, automated data exfiltration from Salesforce tenants. By mixing social engineering with technical exploitation, UNC6040 demonstrated that even the most advanced SaaS defenses can crumble when the human element is manipulated.

Phase 4: Lightning strikes – The role of ShinyHunters 

The breach did not end with stolen data. According to Google, UNC6240 (ShinyHunters) was tied to the extortion phase. ShinyHunters is infamous for stealing, repackaging, and selling large datasets across underground forums. While they announced a “shutdown,” experienced researchers know that such retirements are often temporary. Groups like ShinyHunters re-emerge under different banners or partner with others, ensuring that stolen Salesforce datasets may circulate for years. The presence of ShinyHunters in this storm amplifies the threat: it transforms a targeted breach into a global risk of resale, secondary fraud, and reputational harm.

Phase 5: What was stolen – The data haul 

The treasure trove stolen by both groups was extensive. Attackers gained access to:

• Customer records with sensitive personal and business details.

• Credentials that open the door to broader identity theft.

• System configurations that reveal how Salesforce environments are structured.

• Sales records that expose competitive intelligence and revenue pipelines.

This mix of technical, personal, and strategic data paints a clear picture: attackers were not simply after quick wins. They targeted the lifeblood of companies, stealing information that can enable long-term espionage, competitive sabotage, and persistent fraud.

Phase 6: Breaking the storm – Defense and resilience 

How can organizations withstand such storms? It requires more than just a technical patch. Defense must be layered and proactive:

• Harden OAuth and GitHub integrations, minimizing token scope and rotating secrets.

• Treat Drift data as compromised, assuming that exposure extends beyond Salesforce.

• Monitor Salesforce API queries and Data Loader activity, as abnormal usage may indicate exfiltration.

• Apply multi-factor authentication rigorously, not only for user accounts but also for privileged service accounts.

• Train staff against vishing calls, equipping employees to recognize when a phone conversation is being weaponized.

• Demand SaaS provider transparency, requiring real-time monitoring, logging, and incident response cooperation.

These measures turn the umbrella into a fortified shelter against storms that are only becoming more frequent.

The campaigns of UNC6040 and UNC6395 mark a turning point. They show that SaaS platforms like Salesforce are no longer just tools—they are battlegrounds. Attackers combined OAuth abuse, GitHub breaches, vishing, and custom tools to bypass defenses and drain data at scale. The partnership with ShinyHunters highlights that stolen information rarely stays contained; instead, it circulates, multiplies, and resurfaces in unpredictable ways.

For companies worldwide, this breach is a wake-up call. In the cloud era, security cannot be left solely in the hands of providers. SaaS must be treated as critical infrastructure, with organizations enforcing controls, training staff, and preparing for the next storm. Because as this case proves, the silence of adversaries does not mean safety—it often means they are gathering strength for the next strike.

https://thehackernews.com/2025/09/fbi-warns-of-unc6040-and-unc6395.html?m=1