FBI Issues Salesforce Data Breach Alert: Protect Against OAuth Attacks

How Modern Cyber Attacks Exploit OAuth, APIs, and Human Error (and What Companies Can Do About It).

On September 12, 2025, the FBI issued FLASH-20250912-001, calling urgent attention to a wave of data theft and extortion attacks targeting Salesforce environments. Two major cybercriminal groups – UNC6040 and UNC6395 – are leading the charge. They employ increasingly sophisticated tactics to compromise organizations and steal sensitive customer data.

Anatomy of the Attack

Since late 2024, UNC6040 has been largely focused on voice phishing, or “vishing.” Threat actors impersonate IT staff, call help desks, and use surprisingly convincing stories to manipulate employees. 

Their goals?

Bad actors are looking to harvest credentials and multi-factor authentication (MFA) codes, trick users into installing malicious apps that look like legitimate Salesforce tools, and coax them into approving OAuth tokens — All to gain access to critical systems. 

Once inside these systems, attackers exploit trusted APIs and tools (like Data Loader) to pull out vast amounts of data, blending into normal business operations and evading traditional security controls.

UNC6395, meanwhile, has targeted OAuth tokens issued for Salesloft Drift, an AI chatbot integration. After compromising these tokens, the group was able to log into Salesforce and siphon sensitive information. The hack was so impactful that Salesforce and Salesloft revoked all Drift-related tokens to stop further data leaks in August of 2025.

Why Detection Is So Difficult

What makes these attacks especially challenging is that the criminals don’t break in through software flaws or malware. Rather, access is technically legitimate, obtained through social engineering or on pre-existing trusted integrations. API calls mimic everyday Salesforce activity, and OAuth tokens appear valid. Security teams relying only on traditional indicators are unlikely to spot these threats until the data is already gone.

Victims of UNC6040 have also faced direct extortion via ShinyHunters, with threats to leak stolen data unless cryptocurrency ransoms are paid. This convergence, or data theft followed by extortion, has raised the stakes for security teams across industries.

FBI’s Guidance for Defenders

The FBI has recommended that organizations:

• Immediately harden staff awareness, especially among the help desk and call center teams targeted for Vishing.
  
• Deploy phishing-resistant MFA wherever possible.
  
• Apply strict least privilege standards for all Salesforce and connected apps.
  
• Regularly audit and rotate API keys, OAuth tokens, and app connections.
  
• Monitor network and API logs for signs of bulk queries, anomalous sessions, or new/unfamiliar device access.
  
• Actively ingest and monitor the published indicators of compromise (IOCs), including suspicious IP addresses, user agents, and URLs.
  

These incidents highlight the new realities of SaaS security: platforms like Salesforce are prime targets for well-funded attackers, and trusted third-party integrations can become stealthy backdoors. Human factors remain the most vulnerable link. Attackers are exploiting them with growing skill.

How TraitWare Helps Mitigate This Risk

TraitWare’s technology is built from the ground up to protect against precisely these forms of business logic abuse and social engineering:

• Zero-Shareable Secrets: By eliminating passwords, MFA codes, and help desk resets, TraitWare removes the core element these attackers are after: something an employee can be tricked into sharing.
  
• Phishing-Resistant Authentication: TraitWare binds login to unique device and biometrics, meaning attackers cannot impersonate users through stolen credentials or codes.
  
• No Vendor Lock-In: By maintaining an independent authentication layer, TraitWare reduces reliance on vulnerable OAuth dependencies and siloed third-party integrations.
  
• Continuous Monitoring and Granular Access Controls: TraitWare enables enterprises to enforce least privilege, revoke access instantly, and monitor anomalous login and device activity in real time.

In a threat landscape where attackers are not breaking down the door, but getting employees to unlock it for them, TraitWare changes the equation. By removing the attacker’s leverage and simplifying user experience, organizations can focus less on breach response and more on business growth.

With TraitWare, the front door doesn’t just have a better lock. … It can’t be picked, phished, or bypassed.

Contact us to find out more!