The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) has issued a FLASH alert detailing two ongoing cybercriminal campaigns—UNC6040 and UNC6395—targeting Salesforce platforms for data theft and extortion. UNC6040 has been active since October 2024, using sophisticated social engineering tactics such as vishing (voice phishing) to impersonate IT support and trick employees into revealing credentials or authorizing malicious apps. These threat actors exploit Salesforce’s connected app functionality to bypass traditional defenses, using OAuth tokens to exfiltrate large volumes of data via APIs. Victims have subsequently received extortion threats, often linked to the ShinyHunters group. Meanwhile, UNC6395, active as of August 2025, exploited compromised OAuth tokens tied to Salesloft’s Drift chatbot to infiltrate Salesforce instances. Salesloft and Salesforce have since revoked all affected tokens. The FBI warns organizations to remain vigilant, implement phishing-resistant multi-factor authentication, restrict internet protocol-based access, monitor application programming interface activity, and regularly review third-party application integrations to prevent such attacks. For more details, refer to the FBI Flash Alert.