FBI Warning: These Hackers Are Stealing Salesforce Data (And They're Really Good At It)

Look, I hate being the bearer of bad news, but we need to talk about something serious. The FBI just dropped a warning about two hacker groups that are absolutely crushing it at stealing Salesforce data - and not in a good way. We're talking about major companies getting hit here: Google, Adidas, Cloudflare... yeah, the big players.

I'll break down what's happening and show you exactly how to protect yourself, because this is some next-level stuff that even caught security pros off guard.

Meet Your New Cyber Enemies: UNC6040 and UNC6395

These two groups are using different tricks, but both are scary effective. Let's break them down:

UNC6040: The Social Engineering Masters

These folks are basically the con artists of the cyber world. They're creating fake Salesforce Data Loader apps that look completely legitimate. Once someone installs one, game over - they can grab whatever data they want. Think of it like someone wearing a perfect FedEx uniform walking into your office - if it looks right, people tend to trust it.

UNC6395: The OAuth Token Thieves

This group is even sneakier. They're stealing OAuth tokens (those things that let apps connect to Salesforce) from Salesloft and Drift. It's like they've stolen the master key to the building - once they're in, they can access support cases and sensitive customer data without setting off any alarms.

Why This Is Such a Big Deal

The stolen data isn't just sitting idle. A group called ShinyHunters is using it for extortion - basically saying "pay up or we'll release everything." And we're not talking about minor data here - it's customer lists, support cases, internal documents... the kind of stuff that keeps CEOs up at night.

How to Protect Your Salesforce Environment

First things first - you need strong authentication across the board. I can't stress this enough: if you're not using hardware security keys for your admin accounts, you're asking for trouble.

Here's what you need to do:

1. Lock Down Your Authentication

I've set up dozens of Salesforce environments, and here's what I always recommend:

• Enable Multi-Factor Authentication (MFA) for everyone - no exceptions

• For admin accounts, use hardware security keys - I personally use YubiKey 5 NFC because it works on pretty much everything

• Use a solid password manager (I've got my whole team on NordPass because it makes sharing secure credentials actually manageable)

2. Get Serious About OAuth Security

This is crucial:

• Review ALL connected apps monthly (yes, actually do it)

• Revoke access for anything you don't recognize or haven't used recently

• Set up alerts for new OAuth token generations

3. Monitor Everything

You need to watch your Salesforce environment like a hawk:

• Turn on all security alerts

• Set up monitoring for unusual data exports

• Review access logs weekly (I know it's boring, but it's important)

4. Train Your Team

The best security tools in the world won't help if someone falls for a social engineering attack. Make sure everyone knows:

• Never install apps or tools without IT approval

• Be suspicious of any unexpected "Salesforce update" emails

• Report anything unusual immediately

The Bottom Line

These attacks are sophisticated, but they're not unstoppable. The key is layering your security - good authentication, careful app management, and solid monitoring. And please, if you haven't already, get those hardware security keys and a proper password manager set up. I've seen too many companies learn this lesson the hard way.

Stay safe out there, and keep an eye on those Salesforce logs!

Quick heads up:Some links in this article are affiliate links. If you buy something through them, we might earn a small commission (doesn't cost you extra). We only recommend stuff we'd actually use ourselves or set up for our own families. No BS recommendations here.