Workday, a leading provider of enterprise cloud applications for finance and human resources, has announced a data breach affecting a third-party Customer Relationship Management (CRM) platform. The company confirmed the incident, which appears to be part of a larger social engineering campaign targeting multiple large organizations. Workday’s core systems and customer data stored in its primary tenants were not affected, the company stated.
The breach, discovered on August 6, was a result of a sophisticated social engineering scheme where attackers contacted Workday employees, posing as internal HR or IT staff. The goal was to trick employees into providing account access or sensitive personal information, which ultimately led to the compromise of the third-party CRM. The specific CRM vendor was not named in Workday’s public disclosure.
According to Workday, the information obtained by the threat actors was limited to “commonly available business contact information,” including names, email addresses, and phone numbers. The company warned that this data could be used to facilitate future social engineering or phishing scams against its customers and partners. Workday has reiterated its policy that it will never contact individuals by phone to request passwords or other secure details.
While Workday has not confirmed the group responsible, security experts and media reports have linked the incident to the notorious cybercrime group known as ShinyHunters. This group has been implicated in a series of similar attacks on other high-profile companies, including Google, Adidas, and Chanel, where they targeted Salesforce CRM instances through “vishing” (voice phishing) and the exploitation of malicious OAuth apps.
Workday has stated it acted swiftly to cut off the unauthorized access and has since implemented additional safeguards to prevent similar incidents. The company has also begun the process of notifying affected customers and has encouraged all users to be vigilant against unexpected communications requesting sensitive information.
This breach underscores the growing threat of social engineering and the vulnerability of third-party platforms in the corporate supply chain. It serves as a reminder that even companies with robust internal security can be compromised through weaknesses in their external partners and the human element, which remains one of the most difficult attack vectors to defend against.
