In a significant cybersecurity alert issued in September 2025, the Federal Bureau of Investigation (FBI) has warned organizations about two sophisticated cybercriminal groups, UNC6040 and UNC6395, actively targeting Salesforce platforms in coordinated data theft attacks. This warning comes at a critical time when businesses are increasingly reliant on cloud-based customer relationship management (CRM) systems, making them attractive targets for cybercriminals seeking valuable customer data and business intelligence.
The FBI’s alert highlights the evolving threat landscape where cybercriminals are shifting their focus from traditional network intrusions to cloud-based platforms that house sensitive business and customer information. For small and medium-sized businesses (SMBs) and general consumers who rely on Salesforce for their operations, understanding these threats and implementing proper security measures has never been more crucial.
Understanding the UNC6040 and UNC6395 Threat Groups
The cybercriminal groups UNC6040 and UNC6395 represent a new breed of sophisticated threat actors who have developed specialized techniques for infiltrating and extracting data from Salesforce environments. According to the FBI’s investigation, these groups have been operating with increasing frequency and sophistication throughout 2025.
UNC6040, also known as ShinyHunters in some cybersecurity circles, has been particularly active in targeting Salesforce instances through voice phishing (vishing) campaigns. This group has developed custom tools specifically designed to accelerate data extraction from Salesforce platforms once they gain initial access. Their approach demonstrates a high level of technical sophistication and specific knowledge of Salesforce’s architecture and data structures.
UNC6395 operates with similar objectives but employs different tactics to achieve unauthorized access to Salesforce accounts. The FBI’s August 2025 findings revealed that UNC6395 had successfully compromised multiple Salesforce instances and stolen significant amounts of sensitive data, including customer records, financial information, and proprietary business data.
These groups target Salesforce platforms specifically because they often contain a treasure trove of valuable information, including customer contact details, sales data, financial records, and strategic business information that can be monetized on dark web marketplaces or used for further targeted attacks.
Attack Methods and Techniques Employed
The FBI’s warning details several sophisticated attack methods employed by these cybercriminal groups, with voice phishing (vishing) being the primary initial access vector used by UNC6040. This technique involves cybercriminals making phone calls to employees, impersonating IT support staff or other trusted entities to trick victims into revealing their Salesforce login credentials or other sensitive authentication information.
Once initial access is obtained, both groups employ advanced techniques to maintain persistence and extract maximum value from compromised Salesforce instances:
- Custom Data Extraction Tools: The groups have developed specialized software designed to rapidly download and exfiltrate large volumes of data from Salesforce databases
- Privilege Escalation: Attackers seek to gain administrative access to Salesforce instances to access broader datasets and disable security controls
- Living-off-the-Land Techniques: Using legitimate Salesforce features and APIs to avoid detection while extracting data
- Social Engineering: Targeting multiple employees within the same organization to increase their chances of success
The FBI notes that these attacks are particularly dangerous because they often go undetected for extended periods. Unlike traditional malware infections that might trigger security alerts, these attacks use legitimate platform features and APIs, making them harder to distinguish from normal user activity.
Impact on Small and Medium-Sized Businesses
Small and medium-sized businesses face unique challenges when defending against these sophisticated attacks. Unlike large enterprises with dedicated cybersecurity teams, SMBs often lack the resources and expertise to implement comprehensive security measures or detect advanced persistent threats targeting their Salesforce instances.
The impact of a successful attack on an SMB can be devastating. According to IBM’s 2024 Cost of a Data Breach Report, the average cost of a data breach for small businesses can exceed $3 million, not including the long-term reputational damage and potential regulatory fines.
For SMBs using Salesforce, the stolen data often represents their most valuable business asset – customer relationships, sales pipelines, and competitive intelligence. The loss of this information can result in:
- Direct financial losses from theft of proprietary information and customer data
- Regulatory compliance violations under GDPR, CCPA, and other data protection regulations
- Loss of customer trust and reputation damage that can take years to rebuild
- Competitive disadvantage when sensitive business strategies are exposed
- Legal liability from customers and partners whose data was compromised
The FBI’s warning emphasizes that these groups specifically target smaller organizations because they often have weaker security controls while still maintaining valuable data in their Salesforce instances.
Essential Security Measures for Salesforce Protection
Protecting your Salesforce instance from UNC6040, UNC6395, and similar threat groups requires a comprehensive security approach. The FBI recommends implementing multiple layers of security controls to reduce the risk of successful attacks.
Multi-Factor Authentication and Access Controls
Multi-factor authentication (MFA) should be mandatory for all Salesforce users, particularly administrators. Even if cybercriminals obtain login credentials through vishing attacks, MFA can prevent unauthorized access. Organizations should implement:
- App-based authentication tools rather than SMS-based MFA, which can be compromised
- Hardware security keys for high-privilege accounts
- Conditional access policies that restrict login attempts from unusual locations
- Regular review and updating of user permissions and access levels
Employee Training and Awareness
Since vishing is the primary attack vector, employee education is crucial. Security awareness programs should specifically address:
- Recognition of vishing attempts and social engineering tactics
- Proper procedures for verifying identity of callers requesting sensitive information
- Immediate reporting protocols for suspicious communication attempts
- Regular phishing simulation exercises to test and improve employee responses
Technical Security Controls
Organizations should implement robust technical controls within their Salesforce environment:
- IP Allowlisting: Restrict Salesforce access to known, trusted IP addresses
- Session Management: Configure appropriate session timeout periods and monitor for concurrent sessions
- Data Classification: Implement field-level security to protect the most sensitive information
- API Monitoring: Monitor API usage for unusual patterns that might indicate data extraction activities
- Regular Security Audits: Conduct periodic reviews of user permissions, sharing rules, and security settings
Detection and Response Strategies
Early detection of compromise is critical to minimizing the impact of these attacks. Organizations should establish monitoring and response capabilities that can identify suspicious activity in their Salesforce environments.
Key indicators of compromise that organizations should monitor include:
- Unusual login patterns, particularly from new geographic locations
- Large-scale data exports or API calls outside of normal business operations
- Changes to user permissions or security settings by non-administrative users
- Creation of new user accounts or modification of existing accounts without proper authorization
- Accessing sensitive data outside of normal job responsibilities
CISA recommends that organizations maintain detailed audit logs and implement automated alerting for suspicious activities. For SMBs without dedicated security teams, partnering with managed security service providers can provide the expertise needed to monitor and respond to threats effectively.
Incident Response Planning
Organizations should have a well-defined incident response plan specifically for Salesforce security incidents. This plan should include:
- Immediate containment procedures to prevent further data exfiltration
- Communication protocols for notifying stakeholders, including customers and regulatory authorities
- Forensic analysis procedures to determine the scope and impact of the breach
- Recovery and remediation steps to restore secure operations
- Post-incident review processes to improve security measures
Regulatory Compliance and Legal Considerations
The FBI’s warning about UNC6040 and UNC6395 comes at a time when regulatory scrutiny of data security practices is intensifying. Organizations using Salesforce must consider various compliance requirements that may apply to their operations.
Data protection regulations such as the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the United States impose strict requirements for protecting personal data and mandatory breach notification procedures. Under GDPR, organizations can face fines of up to 4% of annual global revenue or €20 million for serious data protection violations.
Industry-specific regulations also apply to many organizations:
- Healthcare organizations must comply with HIPAA requirements for protecting patient health information
- Financial services companies are subject to regulations such as PCI DSS for payment card data and various banking regulations
- Government contractors must meet cybersecurity requirements under frameworks like NIST 800-171
Organizations should work with legal counsel and compliance experts to ensure their Salesforce security measures meet all applicable regulatory requirements and that they have proper procedures in place for breach notification and regulatory reporting.
The Broader Cybersecurity Landscape and Future Threats
The FBI’s warning about UNC6040 and UNC6395 reflects broader trends in the cybersecurity threat landscape. As organizations increasingly migrate to cloud-based platforms, cybercriminals are adapting their tactics to target these environments specifically.
Verizon’s 2024 Data Breach Investigations Report indicates that cloud-based attacks have increased significantly, with social engineering remaining a primary attack vector. This trend suggests that threats like those posed by UNC6040 and UNC6395 are likely to become more common and sophisticated.
Organizations should anticipate that cybercriminal groups will continue to develop specialized tools and techniques for targeting popular cloud platforms. This evolution requires a proactive approach to security that goes beyond traditional perimeter-based defenses to include:
- Cloud-specific security controls and monitoring
- Advanced user and entity behavior analytics (UEBA)
- Zero-trust security architectures that verify every access request
- Continuous security assessment and improvement programs
Conclusion: Taking Action to Protect Your Organization
The FBI’s warning about UNC6040 and UNC6395 targeting Salesforce platforms represents a critical wake-up call for organizations of all sizes. These sophisticated cybercriminal groups have demonstrated the ability to successfully compromise Salesforce instances and steal valuable data through carefully orchestrated attacks that can evade traditional security controls.
For SMBs and general consumers using Salesforce, the threat is particularly acute given the limited security resources typically available to smaller organizations. However, by implementing comprehensive security measures including multi-factor authentication, employee training, technical controls, and proper monitoring, organizations can significantly reduce their risk of falling victim to these attacks.
The key to effective protection lies in taking a proactive, layered approach to security that addresses both technical vulnerabilities and human factors. Organizations cannot afford to wait until after an attack occurs to implement proper security measures.
Immediate action steps every organization should take include:
- Enabling multi-factor authentication for all Salesforce users immediately
- Conducting security awareness training focused on vishing and social engineering
- Reviewing and updating user permissions and access controls
- Implementing monitoring for suspicious activities and data access patterns
- Developing or updating incident response plans for cloud security breaches
The cybersecurity landscape continues to evolve, and threats like UNC6040 and UNC6395 demonstrate the sophistication and persistence of modern cybercriminal groups. Organizations that take proactive steps to secure their Salesforce environments and other cloud-based systems will be better positioned to defend against these threats and maintain the trust of their customers and stakeholders.
Don’t wait until your organization becomes the next victim. Contact LG CyberSec today to learn how we can help you implement comprehensive security measures to protect your Salesforce platform and other critical business systems from advanced cyberthreats. Our team of cybersecurity experts specializes in helping SMBs develop and implement effective security strategies tailored to their specific needs and budget constraints.