FBI Warns of Salesforce Data Theft

The FBI has issued a warning about Salesforce data theft linked to two threat groups, UNC6040 and UNC6395. Both groups exploited Salesforce OAuth apps to steal large volumes of sensitive data from multiple organizations. The incidents reveal the growing risks companies face when attackers abuse trusted access tokens.

How Hackers Exploited Salesforce

UNC6040 relied on social engineering and vishing tactics. Attackers tricked employees into installing fake Salesforce OAuth apps, including fraudulent versions of Data Loader. Once connected, the malicious apps gave the hackers access to accounts and contacts, allowing them to extract valuable corporate data.

UNC6395 used stolen OAuth tokens from third-party services to access Salesforce. Compromised tokens from integrations like Salesloft and Drift enabled attackers to bypass normal login checks. In some cases, exposed support case data included passwords, AWS keys, and other sensitive information.

Impact on Organizations

Salesforce data theft poses serious risks for businesses. Hackers targeted customer records, internal communications, and financial data. Stolen information was later linked to extortion campaigns, adding financial and reputational threats for victims.

Reports indicate that high-profile companies across retail, technology, and fashion were affected. The attack method demonstrates how OAuth-based access can undermine even secure environments. Once attackers obtain valid tokens, they can operate without triggering traditional login alerts.

Preventive Measures

The FBI recommends several actions to limit future risks:

• Audit Salesforce OAuth applications and remove unused or suspicious apps.
• Revoke OAuth tokens issued by breached third-party services.
• Enforce strict access controls for sensitive case data.
• Monitor for abnormal data exports or unauthorized use of support systems.

Conclusion

The FBI alert on Salesforce data theft shows how hackers adapt to exploit trusted tools. By targeting OAuth tokens and applications, attackers bypass standard protections and gain direct access to valuable data. Businesses must take proactive steps, strengthen monitoring, and reduce token risks to protect against similar intrusions.