Pour yourself a drink, this breach is dumber than last week’s. The top story in today’s Security News Newsletter reads like a case study in how not to secure your SaaS real estate. The FBI has issued a FLASH alert about UNC6040 and UNC6395, two threat clusters that apparently figured out how to make Salesforce data their personal ATM and then extort victims with the audacity you only see from vendors hawking “new risk scores.”
Let me spell out what the article actually says, because apparently the cybersecurity industry loves cryptic acronyms more than basic cybersecurity hygiene. Two groups are compromising Salesforce environments to steal data and extort victims. This isn’t a zero day or a mysterious API flaw that only a vendor could love; it’s a reminder that people still log in with stolen credentials, or leave API access wide open, and then pretend the problem is some magical Salesforce flaw rather than human error with a shiny badge. In other words, the usual suspects in a new costume, wearing a suit tailored by a PR firm.
And yet the slapstick routine continues. The press releases arrive with the same drumbeat: dashboards glowing, executives nodding along, and not a single realistic mitigation described beyond “improve your detection.” Vendors will spin this as another reason to buy a product with a logo, a chart, and a yearly quarterly cadence. CISOs will nod and add more lines to their risk register, as if risk was a marching band and not a smell you can detect from the mailroom. It is almost charming in a grim way how the industry treats every advisory like a cliff in a video game—you respawn, you upgrade, you move on, and somehow the breach recycles every quarter anyway.
What would actually help here? In a sane world, you would lock down Salesforce access like a vault. Implement strict MFA on admin accounts and troublesome OAuth clients. Rotate and restrict API keys, monitor for abnormal token grants, and enforce least- privilege everywhere, including service accounts. If you are still treating SaaS security as an afterthought then yes, the next alert will be yourself getting extorted for a couple of dollars you pretend you never had in your budget. Zero trust for SaaS, continuous monitoring of OAuth and API activity, and a culture that treats every credential like a loaded gun would be a start. In other words, stop acting surprised when attackers steal data you left sitting on a shelf with the price tag still attached.
So yes, this is another reminder that the bar is low, the drinks are high, and executives still demand slides instead of secure systems. If you are looking for a silver bullet, keep walking. If you want a practical path, start treating Salesforce access like critical infrastructure, because apparently that is what the FBI thinks too. Read the original report for the bare bones and then ignore the vendor spin, and maybe pour another glass of your favorite whiskey while you plan the actual security work you have ignored for months. Read more at Read more.
