• Home
  • cyber
  • Workday: Workday hit in wave of social engineering attacks
cyber Breach

Workday: Workday hit in wave of social engineering attacks

Aug 16, 2025 2 min read
Workday: Workday hit in wave of social engineering attacks

Workday Hit by Third-Party Cyberattack Linked to ShinyHunters

Workday, a leading HR platform provider, disclosed a cyberattack on 16–17 August after threat actors breached its systems via a third-party supplier. The incident appears tied to a broader wave of attacks likely orchestrated through Salesforce products linked to the ShinyHunters cybercrime group, though Workday did not confirm the specific threat actor or software involved.

In a public notice, Workday revealed that attackers accessed limited data from its third-party CRM platform, primarily business contact information such as names, email addresses, and phone numbers. The company emphasized that no customer tenant data or internal systems were compromised. Immediate containment measures were taken, including revoking access and implementing additional safeguards.

The breach stemmed from a social engineering campaign targeting multiple large organizations, with the stolen data potentially intended for further phishing scams. Workday clarified that it never requests passwords or sensitive details via phone, urging users to verify communications through official support channels.

The incident underscores the growing risk of supply chain attacks, where cybercriminals exploit vulnerabilities in third-party vendors to infiltrate larger targets. While the full scope of the campaign remains under investigation, the attack aligns with recent tactics attributed to ShinyHunters, a group known for high-profile data breaches.

Source: https://www.computerweekly.com/news/366629343/Workday-hit-in-wave-of-social-engineering-attacks

Workday cybersecurity rating report: https://www.rankiteo.com/company/workday

"id": "WOR1768679649",
"linkid": "workday",
"type": "Breach",
"date": "8/2025",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"
{'affected_entities': [{'industry': 'Human Resources',
                        'name': 'Workday',
                        'type': 'HR Platform Provider'}],
 'attack_vector': 'Third-Party Supplier Compromise',
 'customer_advisories': 'Workday never requests passwords or sensitive details '
                        'via phone',
 'data_breach': {'personally_identifiable_information': 'Names, email '
                                                        'addresses, phone '
                                                        'numbers',
                 'sensitivity_of_data': 'Low to moderate (names, email '
                                        'addresses, phone numbers)',
                 'type_of_data_compromised': 'Business contact information'},
 'date_detected': '2023-08-16',
 'description': 'Workday, a leading HR platform provider, disclosed a '
                'cyberattack after threat actors breached its systems via a '
                'third-party supplier. The incident appears tied to a broader '
                'wave of attacks likely orchestrated through Salesforce '
                'products linked to the ShinyHunters cybercrime group. '
                'Attackers accessed limited business contact information from '
                'a third-party CRM platform.',
 'impact': {'data_compromised': 'Business contact information (names, email '
                                'addresses, phone numbers)',
            'systems_affected': 'Third-party CRM platform'},
 'initial_access_broker': {'entry_point': 'Third-party CRM platform'},
 'investigation_status': 'Ongoing',
 'lessons_learned': 'Growing risk of supply chain attacks via third-party '
                    'vendors; importance of verifying communications through '
                    'official channels',
 'motivation': 'Data Theft for Phishing Scams',
 'post_incident_analysis': {'corrective_actions': 'Revoked access, implemented '
                                                  'additional safeguards',
                            'root_causes': 'Social engineering campaign '
                                           'targeting third-party supplier'},
 'recommendations': 'Enhance third-party vendor security assessments; educate '
                    'users on phishing risks; implement multi-factor '
                    'authentication for third-party access',
 'references': [{'source': 'Workday Public Notice'}],
 'response': {'communication_strategy': 'Public notice urging users to verify '
                                        'communications through official '
                                        'support channels',
              'containment_measures': 'Revoked access to the third-party CRM '
                                      'platform, implemented additional '
                                      'safeguards',
              'incident_response_plan_activated': True},
 'stakeholder_advisories': 'Urged users to verify communications through '
                           'official support channels',
 'threat_actor': 'ShinyHunters',
 'title': 'Workday Third-Party Cyberattack Linked to ShinyHunters',
 'type': 'Data Breach',
 'vulnerability_exploited': 'Social Engineering'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.