Workday confirmed a security breach stemming from a compromise of **Salesloft’s Drift application**, which granted unauthorized access to **customer-facing metadata** within its **Salesforce environment**. The threat actor exploited stolen **OAuth credentials** from Drift to execute targeted search queries in Workday’s Salesforce tenant, exposing non-sensitive data such as **business contact details, support case IDs, tenant attributes (name, data center location), product/service listings, training enrollments, and event logs**. No **file attachments, contracts, financial documents, or sensitive credentials** (e.g., passwords, tokens) were accessed, though Workday is auditing historical case notes for inadvertent disclosures. The attack was **contained to the Salesforce layer** via Drift, with no direct compromise of Workday’s core platform. Customers were advised to **rotate credentials, enforce MFA, and monitor for phishing risks**. The incident highlights third-party integration vulnerabilities and the importance of **OAuth security and access controls** in cloud ecosystems.
Source: https://cyberpress.org/workday-confirms-data-breach/
TPRM report: https://www.rankiteo.com/company/workday
"id": "wor1132611091025",
"linkid": "workday",
"type": "Breach",
"date": "9/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': 'Customers who shared '
'credentials via Salesforce '
'cases (exact number '
'unspecified)',
'industry': 'Human Capital Management (HCM) and '
'Financial Management',
'location': 'Global (HQ: Pleasanton, California, USA)',
'name': 'Workday',
'size': 'Large (10,000+ employees)',
'type': 'Enterprise Software Provider'},
{'industry': 'Sales Engagement and Conversational '
'Marketing',
'location': 'Global (HQ: Atlanta, Georgia, USA)',
'name': 'Salesloft (Drift application provider)',
'type': 'Third-Party Vendor'}],
'attack_vector': ['Compromised Third-Party Application (Drift)',
'OAuth Credential Abuse',
'Targeted Search Queries in Salesforce'],
'customer_advisories': ['Rotate credentials transmitted via Salesforce cases.',
'Audit historical case text for sensitive data.',
'Enforce MFA and step-up authentication.',
'Review Drift integration configurations (if '
'applicable).'],
'data_breach': {'file_types_exposed': ['Text-based case notes',
'Event logs',
'Training enrollment records'],
'sensitivity_of_data': 'Low (no PII, financial data, or '
'sensitive documents)',
'type_of_data_compromised': ['Non-sensitive metadata',
'Business operational data']},
'date_publicly_disclosed': '2024-08-26',
'description': 'Workday confirmed that a compromise of Salesloft’s Drift '
'application led to unauthorized access to customer-facing '
'data and basic case information within its Salesforce '
'environment. The threat actor exploited Drift’s OAuth '
'credentials to perform targeted search queries in Workday’s '
'Salesforce tenant. Exposed data included non-sensitive '
'metadata such as business contact details, support case '
'identifiers, tenant attributes, product listings, training '
'enrollments, and event logs. No file attachments, contracts, '
'or sensitive documents were accessed. Workday disabled the '
'Drift connector, revoked OAuth tokens, and engaged a forensic '
'firm for investigation. Customers were advised to rotate '
'credentials and enforce multi-factor authentication (MFA).',
'impact': {'brand_reputation_impact': ['Potential erosion of trust due to '
'third-party vulnerability',
'Proactive customer notifications and '
'advisory issuance'],
'data_compromised': ['Business contact details',
'Support case identifiers',
'Tenant attributes (name, data center '
'location)',
'Product and service listings',
'Training course enrollments with '
'certificates',
'Event logs'],
'identity_theft_risk': ['Low (no PII or sensitive credentials '
'confirmed exposed)'],
'operational_impact': ['Forensic investigation',
'Credential rotation for affected customers',
'Audit of historical case text for '
'inadvertent disclosures'],
'systems_affected': ['Workday’s Salesforce tenant (via Drift '
'integration)']},
'initial_access_broker': {'entry_point': 'Compromised OAuth credentials in '
'Salesloft’s Drift application',
'high_value_targets': ['Workday’s Salesforce tenant',
'Customer support case '
'data']},
'investigation_status': 'Ongoing (forensic analysis and customer audits in '
'progress)',
'lessons_learned': ['Third-party integrations (e.g., OAuth-based apps) '
'introduce significant risk vectors.',
'Proactive monitoring of anomalous activity in SaaS '
'environments is critical.',
'Regular audits of case text and support logs can '
'mitigate inadvertent credential exposure.',
'Multi-factor authentication (MFA) and step-up '
'authentication are essential for high-privilege '
'operations.'],
'post_incident_analysis': {'corrective_actions': ['Disabling vulnerable Drift '
'connector and revoking '
'OAuth tokens.',
'Engaging forensic firm for '
'comprehensive system '
'review.',
'Issuing customer '
'advisories for credential '
'rotation and MFA '
'enforcement.',
'Publishing detailed '
'guidance for '
'authentication hardening.'],
'root_causes': ['Insufficient protection of '
'Drift’s OAuth credentials by '
'Salesloft.',
'Lack of granular access controls '
'for third-party integrations in '
'Salesforce.',
'Potential over-reliance on '
'single-factor authentication for '
'high-risk operations.']},
'recommendations': ['Rotate all credentials shared via Salesforce cases.',
'Enforce MFA across all user accounts, especially for '
'third-party integrations.',
'Implement step-up authentication for high-privilege '
'operations.',
'Conduct phishing awareness training and simulated '
'assessments.',
'Monitor user activity logs for unusual behavior.',
'Verify independent impact assessments for direct Drift '
'customers.',
'Follow Salesloft’s supplemental security guidance for '
'Drift ecosystem hardening.'],
'references': [{'source': 'Workday Security Advisory'},
{'source': 'Salesloft Trust Portal Update (August 26, 2024)'}],
'response': {'communication_strategy': ['Direct customer notifications',
'Public advisory via Workday and '
'Salesloft trust portals',
'Detailed MFA/step-up authentication '
'guidance'],
'containment_measures': ['Disabled Drift connector',
'Revoked all associated OAuth tokens',
'Removed residual integrations'],
'enhanced_monitoring': ['User activity logs for unusual behavior '
'(recommended to customers)'],
'incident_response_plan_activated': True,
'remediation_measures': ['Full audit of historical case text for '
'credential disclosures',
'Customer notifications for credential '
'rotation'],
'third_party_assistance': ['Independent forensic firm (unnamed)',
'Collaboration with Salesloft']},
'stakeholder_advisories': ['Direct notifications to affected customers',
'Public guidance on MFA and credential rotation'],
'threat_actor': 'Sophisticated Threat Actor (unknown affiliation)',
'title': 'Unauthorized Access to Workday’s Salesforce Environment via '
'Compromised Drift Application',
'type': ['Data Breach', 'Unauthorized Access'],
'vulnerability_exploited': ['Weak OAuth Credential Security in Drift',
'Lack of Multi-Factor Authentication (MFA) for '
'Third-Party Integrations']}