Home Innovation Salesforce Hackers Use Fake Salesforce Ap...

Hackers Use Fake Salesforce App to Breach Companies in Americas, Europ

Salesforce

Business Honor
09 June, 2025

UNC6040 hackers trick employees into installing fake Salesforce app, stealing data globally.

Google stated that hackers are tricking workers at businesses in the Americas and Europe into installing a hacked version of a Salesforce program. This gives the hackers admission to other corporate cloud services by allowing them to steal a ton of data and extracts those businesses.

The Google Threat Intelligence Group has identified the hackers as UNC6040. According to the researchers, they have "proven particularly effective at tricking employees" into installing a modified version of Sales force’s Data Loader a proprietary application used to load data into Salesforce environments in bulk.

The hackers utilize phone calls to trick employees into visiting a phony Salesforce linked app setup page so they will approve the unregistered, modified version of the app, which they created to look like Data Loader. The researchers claim that once an employee installs the app, hackers will have a wide range of capabilities to directly access, query, and extract sensitive data from the affected Salesforce client environments. Attacks on internal company networks and other cloud services are made possible by the hackers' constant mobility within a customer's network.

According to the researchers, the campaign's technical infrastructure has traits in common with suspected connections to the larger, loosely organized ecosystem known as "The Com," which is characterized by tiny, dispersed groups involved in cybercrime and occasionally violent action. About 20 organizations have been impacted by the UNC6040 effort, which has been observed over the past few months, a Google representative told Reuters. According to the spokesperson, data from a portion of those firms was successfully exfiltrated.

Although the representative would not disclose the precise number of impacted clients, Salesforce stated that it was "not a widespread issue" and that it was "aware of only a small subset of affected customers."