In today’s digital landscape, protecting sensitive data on platforms like Salesforce has become a critical concern for organizations worldwide. I had the privilege of sitting down with Malik Haidar, a seasoned cybersecurity expert with years of experience safeguarding multinational corporations from sophisticated cyber threats. With a unique blend of technical expertise in analytics and intelligence, and a knack for aligning security with business goals, Malik offers invaluable insights into the latest FBI warnings about cybercriminal groups targeting Salesforce platforms. Our conversation dives into the tactics of these threat actors, the implications for businesses, and strategies to stay ahead of evolving risks.
How did the FBI’s recent flash alert come about, and what does it reveal about the cybercriminal groups targeting Salesforce platforms?
The FBI’s recent flash alert is a critical heads-up for organizations using Salesforce, highlighting the activities of two specific cybercriminal groups, UNC6040 and UNC6395. These groups have been actively targeting Salesforce platforms to steal data and, in some cases, engage in extortion. The alert provides indicators of compromise—basically, red flags that help companies detect if they’ve been hit. It’s a stark reminder that even robust platforms like Salesforce aren’t immune to attacks if cybercriminals find a way in through clever methods or exploited weaknesses. Both groups use different approaches to gain access, but their endgame is the same: grabbing sensitive data for profit.
Can you break down the specific actions of UNC6395 in their data theft campaign from August 2025?
Absolutely. UNC6395 launched a widespread campaign in August 2025, focusing on Salesforce instances by exploiting compromised OAuth tokens tied to the Salesloft Drift application. They essentially hijacked these tokens to slip into systems undetected. What made this attack possible was a breach of Salesloft’s GitHub account earlier that year, between March and June 2025. This gave them a backdoor to manipulate the Drift app, an AI chatbot tool, as a gateway to access and steal data from connected Salesforce environments. It’s a classic case of attackers targeting third-party integrations as the weak link in the chain.
What steps has Salesloft taken in response to this breach involving their GitHub account and the Drift application?
Salesloft acted swiftly once the breach came to light. They’ve isolated the Drift infrastructure and taken the AI chatbot application offline to prevent further misuse. On top of that, they’re rolling out stronger security measures, like rotating credentials, beefing up multi-factor authentication, and hardening their GitHub setup. They’ve also been transparent with their customers, advising them to assume that any data or integrations tied to Drift might be compromised. It’s a tough message, but it’s the right call to encourage vigilance and prompt action from their user base.
Shifting gears to UNC6040, how have they been attacking Salesforce platforms since October 2024?
UNC6040 has been a persistent threat since October 2024, focusing on financially motivated attacks. Their approach often starts with vishing—voice phishing—campaigns to trick employees into giving up access. Once they’re in, they use modified versions of legitimate tools like Salesforce’s Data Loader, alongside custom Python scripts, to siphon off massive amounts of data. What’s particularly concerning is their follow-up extortion tactics. Months after the initial theft, they often circle back to demand payment, threatening to leak or sell the stolen data if their demands aren’t met. It’s a long-game strategy that maximizes pressure on victims.
Can you elaborate on how UNC6040 uses phishing panels and social engineering in their attacks?
Sure. UNC6040 is crafty with their social engineering. They set up phishing panels—fake login pages or portals—and guide victims to access them during carefully orchestrated phone calls. They often insist that the victim uses their mobile phone or work computer, likely because it’s easier to bypass security measures like corporate firewalls or monitoring on personal devices. Once the victim enters their credentials or grants access, the attackers use API queries to pull out huge volumes of data in bulk. It’s a slick operation that exploits human trust rather than just technical vulnerabilities.
The FBI also mentions a group linked to UNC6040, known as UNC6240, which claims ties to ShinyHunters. What’s their role in these extortion schemes?
UNC6240 seems to handle the extortion side of things after UNC6040 steals the data. They’ve been reaching out to victims—sometimes months after the breach—via emails or calls, claiming to be part of the infamous ShinyHunters group. Their goal is to ramp up fear, threatening to expose the stolen data. There’s also chatter about them potentially setting up a data leak site, which would be a public platform to dump compromised information if victims don’t pay up. That kind of escalation could be devastating, as it not only harms the organization’s reputation but also puts customers and partners at risk of further attacks.
With recent developments about groups like ShinyHunters and others claiming to ‘go dark,’ how should organizations interpret such announcements?
These announcements, like the one from the so-called ‘scattered LAPSUS$ hunters 4.0’ group on their Telegram channel, should be taken with a grain of salt. They claimed to shut down operations in September 2025, citing fulfilled objectives or even missteps by law enforcement. But history shows that these groups rarely retire for good. They often splinter, rebrand, or lay low to dodge heat from authorities, only to pop up again under new names. Stolen data doesn’t disappear—it can resurface later, and undetected backdoors might still linger in compromised systems. Organizations need to stay on guard and assume the threat is just evolving, not vanishing.
What’s your forecast for the future of cyber threats targeting platforms like Salesforce?
I expect these threats to grow in sophistication and frequency. As more businesses rely on cloud platforms like Salesforce for critical operations, they become juicier targets for cybercriminals. We’ll likely see more attacks exploiting third-party apps and integrations, alongside advanced social engineering tactics. The use of AI and automation by attackers could also make phishing and data exfiltration even harder to detect. On the flip side, I think we’ll see stronger collaboration between law enforcement, platform providers, and businesses to share threat intelligence and build better defenses. But it’s going to be a constant cat-and-mouse game, and companies need to prioritize proactive security measures now more than ever.
