Workday Discloses Data Breach Following Social Engineering Attack on Third-Party CRM
Workday, the California-based human resources and financial management giant, has confirmed a data breach after attackers compromised a third-party customer relationship management (CRM) platform through a social engineering campaign. The incident, discovered on August 6, exposed business contact information—including names, email addresses, and phone numbers—though the company stated that no customer tenant data or internal Workday systems were accessed.
The breach targeted a Salesforce CRM instance, part of a broader wave of attacks linked to the ShinyHunters extortion group. Threat actors used voice phishing (vishing) and text-based social engineering to impersonate HR or IT staff, tricking employees into granting access. Once inside, attackers deployed malicious OAuth apps to exfiltrate databases, later leveraging the stolen data for extortion.
While Workday emphasized that the exposed data consisted of publicly available business contacts, the incident underscores the potential for follow-on phishing and targeted attacks using the stolen information.
Workday TPRM report: https://www.rankiteo.com/company/workday
Salesforce TPRM report: https://www.rankiteo.com/company/salesforce
"id": "worsal1767928423",
"linkid": "workday, salesforce",
"type": "Breach",
"date": "8/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Over 11,000 organizations '
'(including >60% of Fortune 500)',
'industry': 'Human Resources, Enterprise Software',
'location': 'Pleasanton, California, USA',
'name': 'Workday',
'size': '19,300+ employees',
'type': 'Corporation'}],
'attack_vector': 'Social Engineering, Voice Phishing',
'customer_advisories': 'Notifications sent to potentially affected customers',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Names, email '
'addresses, phone '
'numbers',
'sensitivity_of_data': 'Low to moderate (names, email '
'addresses, phone numbers)',
'type_of_data_compromised': 'Business contact information'},
'date_detected': '2024-08-06',
'date_publicly_disclosed': '2024-08-16',
'description': 'Workday disclosed a data breach after attackers gained access '
'to a third-party customer relationship management (CRM) '
'platform through a social engineering attack. The breach '
'exposed business contact information, which could be used in '
'subsequent attacks. No customer tenants or data within them '
'were impacted.',
'impact': {'data_compromised': 'Business contact information (names, email '
'addresses, phone numbers)',
'systems_affected': 'Third-party CRM platform (Salesforce)'},
'initial_access_broker': {'entry_point': 'Third-party CRM platform '
'(Salesforce) via malicious OAuth '
'app'},
'investigation_status': 'Ongoing',
'motivation': 'Extortion, Data Theft',
'post_incident_analysis': {'root_causes': 'Social engineering attack leading '
'to malicious OAuth app linkage'},
'references': [{'date_accessed': '2024-08-18', 'source': 'BleepingComputer'},
{'date_accessed': '2024-08-16', 'source': 'Workday Blog'}],
'response': {'communication_strategy': 'Blog post, customer notifications'},
'threat_actor': 'ShinyHunters',
'title': 'Workday Data Breach via Third-Party CRM Platform Compromise',
'type': 'Data Breach',
'vulnerability_exploited': 'Third-party CRM platform (Salesforce) compromise '
'via malicious OAuth app'}