Workiva, a cloud-based SaaS provider specializing in financial reporting, compliance, and audits, suffered a supply chain attack via a compromised third-party CRM system (Salesforce). Threat actors (linked to the ShinyHunters extortion group) exfiltrated business contact data including names, email addresses, phone numbers, and support ticket content from affected customers. While Workiva’s core platform remained unbreached, the stolen data poses risks for spear-phishing attacks targeting high-profile clients (e.g., Google, T-Mobile, Delta Air Lines, Santander). The breach originated from unauthorized access via a connected third-party application (Salesloft’s Drift AI chat integration), part of a broader campaign exploiting OAuth tokens to extract sensitive credentials (e.g., AWS keys, Snowflake tokens) from Salesforce instances. Workiva warned customers to expect phishing attempts but confirmed no direct compromise of its financial or operational systems. The incident aligns with a wider wave of Salesforce breaches impacting cybersecurity firms and Fortune 500 companies, leveraging vishing and token theft tactics.
TPRM report: https://www.rankiteo.com/company/workiva
"id": "wor2560325090425",
"linkid": "workiva",
"type": "Breach",
"date": "9/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': ["Subset of Workiva's customers "
'(exact number undisclosed)',
'Includes Fortune 500 companies '
'(e.g., Google, T-Mobile, Delta '
'Air Lines, etc.)'],
'industry': ['Cloud Computing',
'Financial Reporting',
'Compliance'],
'name': 'Workiva',
'size': '6,305 customers (2023), $739M revenue (2024)',
'type': 'SaaS Provider'},
{'customers_affected': ['Multiple high-profile '
'companies (e.g., Cloudflare, '
'Google, Cisco, Zscaler, '
'Tenable, etc.)'],
'industry': 'Enterprise Software',
'name': 'Salesforce (via Salesloft integration)',
'type': 'CRM Platform'},
{'industry': 'Sales Automation',
'name': 'Salesloft',
'type': 'Sales Engagement Platform'}],
'attack_vector': ['Voice Phishing (Vishing)',
'OAuth Token Theft',
'Third-Party Application Exploitation (Salesloft Drift AI '
'Chat Integration)'],
'customer_advisories': ['Avoid sharing secure details via text/phone',
'Verify communications through official Workiva '
'channels'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': ['Names',
'Email addresses',
'Phone numbers'],
'sensitivity_of_data': ['Moderate (contact info)',
'High (potential credentials in '
'support tickets)'],
'type_of_data_compromised': ['Business contact information',
'Support ticket content',
'Potential credentials (AWS '
'keys, Snowflake tokens)']},
'date_publicly_disclosed': '2024-09-04',
'description': 'Workiva, a cloud-based SaaS provider, notified customers that '
'attackers gained access to a third-party CRM system '
'(Salesforce via Salesloft) and exfiltrated limited business '
'contact information, including names, email addresses, phone '
'numbers, and support ticket content. The breach is linked to '
'the ShinyHunters extortion group, which exploited OAuth '
"tokens in Salesloft's Drift AI chat integration with "
"Salesforce. Workiva's platform and internal data remained "
'uncompromised, but customers were warned of potential '
'spear-phishing risks.',
'impact': {'brand_reputation_impact': ['Potential erosion of trust due to '
'third-party breach',
'Warning to customers about phishing '
'risks'],
'data_compromised': ['Business contact information (names, email '
'addresses, phone numbers)',
'Support ticket content',
'Potential AWS access keys, Snowflake tokens, '
'and passwords (from other victims)'],
'identity_theft_risk': ['High (stolen contact data could enable '
'spear-phishing or identity-based '
'attacks)'],
'operational_impact': ['Customer notification efforts',
'Increased vigilance for spear-phishing',
'Token rotation (e.g., Cloudflare rotated '
'104 tokens)'],
'systems_affected': ['Salesforce CRM (via Salesloft integration)',
'Third-party customer support systems']},
'initial_access_broker': {'data_sold_on_dark_web': ["Likely (ShinyHunters' "
'modus operandi)'],
'entry_point': ['Salesloft Drift AI chat '
'integration with Salesforce',
'Stolen OAuth tokens'],
'high_value_targets': ['Salesforce CRM data',
'Support tickets (for '
'credentials)',
'AWS/Snowflake tokens']},
'investigation_status': 'Ongoing (linked to broader ShinyHunters campaign)',
'lessons_learned': ['Third-party integrations (e.g., Salesloft-Salesforce) '
'can introduce significant risk.',
'OAuth token security requires stricter controls to '
'prevent theft/exploitation.',
'Supply chain attacks can bypass direct defenses, '
'emphasizing the need for vendor risk management.'],
'motivation': ['Data Theft',
'Extortion',
'Credential Harvesting for Further Attacks'],
'post_incident_analysis': {'corrective_actions': ['Token rotation and '
'revocation',
'Enhanced authentication '
'for third-party '
'integrations',
'Customer education on '
'phishing risks'],
'root_causes': ['Insecure OAuth token management '
'in Salesloft-Salesforce '
'integration',
'Lack of sufficient monitoring for '
'third-party application access',
'Voice phishing (vishing) used to '
'initially compromise '
'credentials']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Implement multi-factor authentication (MFA) for all '
'third-party integrations.',
'Regularly audit and rotate OAuth tokens and API keys.',
'Monitor for anomalous access patterns in CRM and support '
'systems.',
'Educate customers and employees on spear-phishing risks '
'post-breach.',
'Enhance logging and detection for third-party '
'application access.'],
'references': [{'date_accessed': '2024-09-04', 'source': 'BleepingComputer'},
{'source': 'Workiva Private Customer Email Notification'}],
'response': {'communication_strategy': ['Private email notifications to '
'affected customers',
'Public disclosure via media '
'(BleepingComputer)'],
'containment_measures': ['Token rotation (e.g., Cloudflare '
'rotated 104 tokens)',
'Disabling compromised integrations'],
'enhanced_monitoring': ['Likely increased monitoring for '
'phishing attempts'],
'incident_response_plan_activated': True,
'remediation_measures': ['Customer notifications',
'Advisories on phishing risks']},
'stakeholder_advisories': ['Customers advised to watch for phishing attempts',
'Workiva confirmed no platform compromise'],
'threat_actor': 'ShinyHunters',
'title': 'Workiva Data Breach via Salesloft Supply Chain Attack',
'type': ['Data Breach', 'Supply Chain Attack', 'Credential Theft'],
'vulnerability_exploited': ['Weak OAuth Token Security',
'Third-Party CRM Integration Vulnerabilities']}