Workday, a major player in the human resources sector, has disclosed a recent data breach caused by a social engineering attack targeting a third-party customer relationship management (CRM) system—specifically, a Salesforce instance.
Although Workday, headquartered in Pleasanton, California, provides services to over 11,000 organizations worldwide (including over 60% of the Fortune 500), the company reports that its main customer data environments known as "customer tenants" were not accessed or impacted by the breach.
The breach, uncovered nearly two weeks before disclosure, exposed business contact information such as names, emails, and phone numbers contained in the compromised CRM.
Workday clarified that the compromised data was mostly publicly available information frequently used for business contact purposes, but acknowledged that this exposure could still facilitate further social engineering or phishing attempts by malicious parties. Employees were alerted that attackers may attempt to contact them, impersonating HR or IT staff, to extract sensitive details or credentials.
This incident is part of a larger ongoing campaign allegedly orchestrated by the ShinyHunters extortion group. BleepingComputer reports that this group specializes in targeting Salesforce CRM instances at major firms through tactics like voice phishing and social engineering.
Their modus operandi often involves convincing employees to link a fraudulent OAuth application to the company's Salesforce environment, granting attackers access to download vital company databases. Subsequently, stolen data is used for extortion, and the attack group’s ransom notes have consistently identified themselves as ShinyHunters.
Several other global corporations—including Adidas, Qantas, Allianz Life, Louis Vuitton, Dior, Tiffany & Co., Chanel, and Google—have fallen victim to similar attacks over the past few months, with activity believed to have started at the beginning of the year.
Although Workday didn't confirm direct involvement with Salesforce in their public statement, a company spokesperson indicated the breach was associated with business contact data in the Salesforce platform. The attackers primarily leveraged social engineering, not technical vulnerabilities, to obtain unauthorized access.
This breach highlights the increasing effectiveness of well-crafted social engineering attacks targeting SaaS platforms and the persistent threat posed by organized groups such as ShinyHunters. While the compromise did not reach more sensitive internal systems, Workday and similar organizations face ongoing risks of secondary attacks fueled by the exposed contact data.
