Close Menu

    Subscribe to Updates

    Get the latest tech news from Tallwire.

      What's Hot

      U.S. Biotechs Turn to Secrecy as China Accelerates Drug Development Race

      July 16, 2026

      AI Chatbots Face Growing Scrutiny as Mental Health Risks Draw Medical Alarm

      July 16, 2026

      Record Industry Pushes for AI Labels on Streaming Music

      July 15, 2026
      Facebook X (Twitter) Instagram
      • Tech
      • AI
      • Get In Touch
      Facebook X (Twitter) LinkedIn
      TallwireTallwire
      • Tech

        U.S. Biotechs Turn to Secrecy as China Accelerates Drug Development Race

        July 16, 2026

        Fiat Bets on Tiny EV as Affordable Transportation Returns to the Spotlight

        July 15, 2026

        Personalized UVB Device Promises Vitamin D Benefits While Raising Questions About Medicalizing Everyday Health

        July 15, 2026

        Meta Patent Ignites Fresh Fears Over AI-Powered Emotional Surveillance

        July 14, 2026

        AI Protesters March on Silicon Valley Giants Demanding Development Freeze

        July 14, 2026
      • AI

        AI Chatbots Face Growing Scrutiny as Mental Health Risks Draw Medical Alarm

        July 16, 2026

        U.S. Biotechs Turn to Secrecy as China Accelerates Drug Development Race

        July 16, 2026

        Record Industry Pushes for AI Labels on Streaming Music

        July 15, 2026

        AI Chatbots Increasingly Clash With Eating Disorder Treatment

        July 15, 2026

        Anthropic Doubles Down on New York as AI Talent War Intensifies

        July 15, 2026
      • Security

        China’s AI Distillation Campaign Raises New Concerns Over U.S. Technology Security

        July 13, 2026

        AI Tools Increasingly Exploited by Terrorist Organizations, New Research Finds

        July 13, 2026

        Pentagon Expands Engineering Recruitment to Restore America’s Military Technology Edge

        July 13, 2026

        EU Lawmakers Advance Controversial Private Message Scanning Measure Despite Mounting Privacy Concerns

        July 12, 2026

        Scramble Intensifies to Secure America Against Emerging AI National Security Threats

        July 12, 2026
      • Health

        AI Chatbots Face Growing Scrutiny as Mental Health Risks Draw Medical Alarm

        July 16, 2026

        AI Chatbots Increasingly Clash With Eating Disorder Treatment

        July 15, 2026

        Personalized UVB Device Promises Vitamin D Benefits While Raising Questions About Medicalizing Everyday Health

        July 15, 2026

        Humanoid Robots Complete First Live Surgical Procedures in Medical Milestone

        July 14, 2026

        Meta Patent Ignites Fresh Fears Over AI-Powered Emotional Surveillance

        July 14, 2026
      • Science

        AI Chatbots Face Growing Scrutiny as Mental Health Risks Draw Medical Alarm

        July 16, 2026

        U.S. Biotechs Turn to Secrecy as China Accelerates Drug Development Race

        July 16, 2026

        Scientists Advance “StormWall” Concept to Defend Earth from Catastrophic Solar Storms

        July 15, 2026

        Personalized UVB Device Promises Vitamin D Benefits While Raising Questions About Medicalizing Everyday Health

        July 15, 2026

        Humanoid Robots Complete First Live Surgical Procedures in Medical Milestone

        July 14, 2026
      • Tech

        AI Protesters March on Silicon Valley Giants Demanding Development Freeze

        July 14, 2026

        Palo Alto Networks CEO Warns AI Costs Must Plunge Before Enterprise Adoption Can Accelerate

        July 14, 2026

        DeepMind Unionization Effort Encounters Early Resistance as Labor Talks Stall

        July 11, 2026

        Always-On Workplace Culture Pushes Employees Toward the Breaking Point

        July 10, 2026

        High-Income Families Embrace AI-Driven Schools as Alternative Education Expands

        July 9, 2026
      TallwireTallwire
      Home»Tech»FBI Sounds Alarm over UNC6040 & UNC6395 Exploits of Salesforce via OAuth Breaches and Vishing
      Tech

      FBI Sounds Alarm over UNC6040 & UNC6395 Exploits of Salesforce via OAuth Breaches and Vishing

      Updated:December 25, 20254 Mins Read
      Facebook Twitter Pinterest LinkedIn Tumblr Email
      FBI Sounds Alarm over UNC6040 & UNC6395 Exploits of Salesforce via OAuth Breaches and Vishing
      FBI Sounds Alarm over UNC6040 & UNC6395 Exploits of Salesforce via OAuth Breaches and Vishing
      Share
      Facebook Twitter LinkedIn Pinterest Email

      The FBI has issued a flash alert warning that two cybercriminal threat clusters—UNC6040 and UNC6395—are actively targeting organizations using Salesforce platforms, carrying out data theft and extortion attacks. UNC6395’s attacks in August 2025 stemmed from a breach of Salesloft’s GitHub account between March and June; this breach allowed attackers to steal OAuth tokens associated with the Salesloft Drift AI chatbot app, which were then used to access numerous Salesforce instances to exfiltrate sensitive data such as AWS keys, passwords, and Snowflake tokens. 

      Sources: Hacker News, Internet Crime Complaint Center

      Key Takeaways

      – OAuth & Third-Party App Risk: Integrations like Salesloft Drift that link to Salesforce via OAuth are being exploited; stolen tokens allow attackers to bypass many protections and gain access to customer data across multiple customers.

      – Social Engineering & Vishing Over Technical Exploits: These campaigns (especially by UNC6040) lean heavily on voice phishing, deceptive connected app authorizations, and impersonation rather than zero-day vulnerabilities, underlining that human-factor risks are still major.

      – Supply Chain & Credential Management Must Be Prioritized: Compromise of platforms like GitHub (in the case of Salesloft) or misconfigured connected apps magnify risk; organizations need tighter controls over credentials, external integrations, MFA, and least-privilege practices.

      In-Depth

      In recent months, the security landscape has seen alarming developments involving two threat clusters—UNC6040 and UNC6395—targeting Salesforce platforms via sophisticated, yet fundamentally social engineering-driven methods. The FBI’s flash alert makes clear that while technical vulnerabilities are part of the picture, attacks are being largely enabled by human trust and misconfigurations, especially in how connected apps and OAuth tokens are managed.

      UNC6395 first entered the stage in August 2025 with a breach rooted in a compromised GitHub account owned by Salesloft. Between March and June, attackers accessed multiple repositories, added guest users, and established workflows—activities that remained under the radar for months. With those footholds, they were able to grab OAuth tokens tied to the Salesloft Drift AI chatbot app. These tokens enabled access to Salesforce instances; attackers ran SOQL queries, exfiltrated data including sensitive credentials (AWS keys, passwords, Snowflake tokens), and deleted query jobs to avoid detection. 

       In response, Salesloft and Salesforce revoked the active tokens, removed the Drift app from the AppExchange, and urged customers to treat all integrations and credentials tied to Drift as potentially compromised. 

      UNC6040, active since approximately October 2024, is using voice phishing (vishing) and deceptive practices to trick employees—often in customer support or admin roles—into authorizing connected apps. One common approach involves guiding them during a vishing call to Salesforce’s connected apps setup pages, where they approve a malicious app (often a modified version of the Data Loader). That approval grants API-level access, allowing bulk data exfiltration via API queries. 

       Because the connected app is “trusted” (by the system once approved), traditional security barriers—MFA, password resets, login monitoring—are often evaded. After data theft, some victims are extorted—attackers may threaten to leak or expose data, sometimes leveraging association with known groups like ShinyHunters to increase pressure. 

      What both campaigns underscore is that even well-designed platforms like Salesforce, which may be secure from a technical standpoint, can still be compromised via poor integration management, lax credential protection, or weak monitoring. The attack vectors involve no inherent vulnerability in Salesforce, but rather exploitation of how external apps are connected and how human trust is leveraged. For defenders, the imperative is clear: audit all third-party integrations (especially those using OAuth), ensure strict least privilege and role separation, rotate and revoke credentials and tokens proactively, enable strong MFA for both platform and source repositories (e.g. GitHub), monitor for unexpected workflow changes or new external users, and train staff and call-handling personnel to recognize vishing or unusual authorization requests.

      As these threat actors evolve, organizations must operate under the assumption that silence from a group or a pause in activity doesn’t mean the threat is gone—only that it may be changing tactics.

      Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
      Previous ArticleFandom-First Search Startup Lore Raises $1.1M to Fuel Deep Internet Discovery
      Next Article FCC Moves to Revoke Recognition of Seven Chinese Labs Over Security Concerns

      Related Posts

      U.S. Biotechs Turn to Secrecy as China Accelerates Drug Development Race

      July 16, 2026

      Fiat Bets on Tiny EV as Affordable Transportation Returns to the Spotlight

      July 15, 2026

      Personalized UVB Device Promises Vitamin D Benefits While Raising Questions About Medicalizing Everyday Health

      July 15, 2026

      Meta Patent Ignites Fresh Fears Over AI-Powered Emotional Surveillance

      July 14, 2026
      Add A Comment
      Leave A Reply Cancel Reply

      Editors Picks

      U.S. Biotechs Turn to Secrecy as China Accelerates Drug Development Race

      July 16, 2026

      Fiat Bets on Tiny EV as Affordable Transportation Returns to the Spotlight

      July 15, 2026

      Personalized UVB Device Promises Vitamin D Benefits While Raising Questions About Medicalizing Everyday Health

      July 15, 2026

      Meta Patent Ignites Fresh Fears Over AI-Powered Emotional Surveillance

      July 14, 2026
      Popular Topics
      spotlight Startup Space Taiwan Tech Tesla Cybertruck UAE Tech Software Satellite SpaceX Satya Nadella Sundar Pichai Tesla Samsung Series A starlink Stocks Viral Tim Cook trending Series B
      Major Tech Companies
      • Apple News
      • Google News
      • Meta News
      • Microsoft News
      • Amazon News
      • Samsung News
      • Nvidia News
      • OpenAI News
      • Tesla News
      • AMD News
      • Anthropic News
      • Elbit News
      AI & Emerging Tech
      • AI Regulation News
      • AI Safety News
      • AI Adoption
      • Quantum Computing News
      • Robotics News
      Key People
      • Sam Altman News
      • Jensen Huang News
      • Elon Musk News
      • Mark Zuckerberg News
      • Sundar Pichai News
      • Tim Cook News
      • Satya Nadella News
      • Mustafa Suleyman News
      Global Tech & Policy
      • Israel Tech News
      • India Tech News
      • Taiwan Tech News
      • UAE Tech News
      Startups & Emerging Tech
      • Series A News
      • Series B News
      • Startup News
      Tallwire
      Facebook X (Twitter) LinkedIn Threads Instagram RSS
      • Tech
      • Entertainment
      • Business
      • Government
      • Academia
      • Transportation
      • Legal
      • Press Kit
      © 2026 Tallwire. Optimized by ARMOUR Digital Marketing Agency.

      Type above and press Enter to search. Press Esc to cancel.