Human resources giant Workday has disclosed a data breach after attackers gained access to a third-party customer relationship management (CRM) platform in a recent social engineering attack.
Headquartered in Pleasanton, California, Workday has over 19,300 employees in offices across North America, EMEA, and APJ. Workday’s customer list comprises over 11,000 organizations across a diverse range of industries, including more than 60% of the Fortune 500 companies.
As the company revealed in a Friday blog, the attackers gained access to some of the information stored on the compromised CRM systems, adding that no customer tenants were impacted.
“We want to let you know about a recent social engineering campaign targeting many large organizations, including Workday,” the HR giant said.
“We recently identified that Workday had been targeted and threat actors were able to access some information from our third-party CRM platform. There is no indication of access to customer tenants or the data within them.”
However, some business contact information was exposed in the incident, including customer data that could be used in subsequent attacks.
“The type of information the actor obtained was primarily commonly available business contact information, like names, email addresses, and phone numbers, potentially to further their social engineering scams,” it added.
In a separate notification sent to potentially affected customers and seen by BleepingComputer, the company added that the breach was discovered almost two weeks ago, on August 6.
Workday added that the attackers contact employees via text or phone, pretending to be from Human Resources or IT, in an attempt to trick them into revealing account access or personal information.
Salesforce data-theft attacks
While Workday didn’t directly confirm it, the only “recent social engineering campaign targeting many large organizations” is a wave of security breaches linked to the ShinyHunters extortion group, which targets Salesforce CRM instances through social engineering and voice phishing attacks.
Multiple other high-profile companies worldwide were also recently breached in this campaign, including Adidas, Qantas, Allianz Life, Louis Vuitton, Dior, Tiffany & Co., Chanel, and, most recently, Google.
These attacks are believed to have begun at the start of the year, with the threat actors tricking the targets’ employees into linking a malicious OAuth app to their company’s Salesforce instances through social engineering attacks.
Once linked, the attackers use the connection to download and steal the companies’ databases, with the stolen data later being used to extort the victims via email.
The extortion demands were signed as coming from ShinyHunters, a notorious extortion group linked to numerous high-profile attacks over the years, including the Snowflake attacks and those against AT&T and PowerSchool.
Workday didn’t reply to a request for comment when BleepingComputer reached out earlier today.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.