Hackers Are Stealing Salesforce Data, Google Warns

By Christy Lynch This post summarizes the June 4, 2025 threat intelligence update from Google and offers additional recommendations from Reveal Security based on similar and recently observed attack patterns targeting SaaS applications and cloud infrastructure. Reveal Security monitors the overall cyber landscape for unique threats that can evade legacy detection methodologies. This UNC6040 campaign continues post-authentication, where many tools lose visibility. Our unique post-authentication approach adds a critical line of defense against this threat and other credential-based attack vectors. Summary of the Threat Google’s Threat Intelligence Team has identified an ongoing campaign by threat actor group UNC6040, in which attackers are stealing data from Salesforce and other SaaS applications. The attackers begin by socially engineering employees to steal credentials, then log into enterprise SaaS applications using residential proxy services to mask their location and blend in with legitimate traffic. Once authenticated, the attackers conduct manual reconnaissance to identify valuable data, such as customer records or support tickets, and then exfiltrate the data using legitimate application features.  And the attackers don’t stop there.  According to the report: “Following this initial data theft, UNC6040 was observed leveraging end-user credentials obtained through credential harvesting or vishing to move laterally through victim networks, accessing and exfiltrating data from other cloud platforms such as Okta and Microsoft 365.” In some cases, this stolen data is used in extortion attempts against the affected companies. Attack Flow According to Google’s report, the attack typically unfolds in the following stages: The attackers appear highly familiar with Salesforce’s user interface and data structures, enabling them to navigate and extract data efficiently while staying within the broader bounds of normal user behavior. Attribution and Targeting UNC6040 is a financially motivated group that Google has been tracking since 2023. This campaign does not rely on malware or exploits but instead uses legitimate credentials and authorized application behavior making detection particularly difficult. The attacks appear opportunistic rather than industry-specific. Organizations using Salesforce and other major SaaS platforms for customer service or case management are at heightened risk. Detection and Mitigation Challenges Several factors make these attacks difficult to detect: Google emphasizes that session monitoring, anomaly detection, and granular audit logs are critical to identifying these kinds of intrusions.  Salesforce customers can review their security documentation here. How Reveal Security Helps Reveal Security provides visibility into post-authentication user activity across SaaS applications like Salesforce, enabling organizations to detect the exact kind of behavior seen in this campaign. By analyzing human and non-human identity behavior to learn what is typical, Reveal detects behavioral anomalies that suggest misuse and impersonation even when the attacker uses valid credentials and operates from approved locations. Reveal Security’s detection capabilities include: Post-authentication behavioral monitoring in SaaS and cloud is often the only way to distinguish attacker actions from those of legitimate users. To learn more about how Reveal Security can protect against threats targeting data in Salesforce and other SaaS platforms, visit https://www.reveal.security/.

The post Hackers Are Stealing Salesforce Data, Google Warns appeared first on RevealSecurity.

The post Hackers Are Stealing Salesforce Data, Google Warns appeared first on Security Boulevard.