Workday Hit by Data Breach Following Salesforce Attack
▼ Summary
– Workday disclosed a data breach after attackers accessed a third-party CRM platform via a social engineering attack, but no customer tenants were impacted.
– The exposed data included business contact information like names, email addresses, and phone numbers, potentially for future scams.
– The breach was discovered on August 6, with attackers posing as HR or IT to trick employees into revealing account access.
– The incident is linked to the ShinyHunters extortion group, which targets Salesforce CRM instances through social engineering and phishing attacks.
– Other major companies, including Adidas, Google, and Louis Vuitton, were also breached in this campaign, with stolen data used for extortion.
Workday has confirmed a security incident involving unauthorized access to its third-party CRM platform, exposing business contact information but leaving customer data untouched. The breach stemmed from a sophisticated social engineering campaign targeting multiple large corporations, with attackers posing as internal personnel to manipulate employees.
Based in Pleasanton, California, Workday serves more than 11,000 organizations globally, including a majority of Fortune 500 companies. The company clarified that while attackers accessed certain CRM records, no customer systems or sensitive tenant data were compromised. Exposed details reportedly included names, email addresses, and phone numbers, information often publicly available but potentially useful for follow-up phishing attempts.
The incident, detected on August 6, mirrors tactics observed in recent attacks against major brands like Adidas, Google, and luxury retailers such as Louis Vuitton. Threat actors impersonated HR or IT staff via calls or texts, coaxing employees into granting system access. Though Workday didn’t explicitly name the affected CRM provider, sources indicate the breach involved Salesforce, a platform repeatedly targeted by cybercriminal group ShinyHunters.
This group, notorious for high-profile data thefts including the Snowflake and AT&T breaches, allegedly uses stolen Salesforce credentials to siphon corporate databases. Their modus operandi involves deploying malicious OAuth apps after tricking employees, then leveraging the access for extortion. Recent victims span industries from aviation (Qantas) to finance (Allianz Life), suggesting a broad, ongoing campaign.
Workday emphasized that core customer environments remained secure, though it warned affected clients about potential secondary scams using the leaked contact details. The company joins a growing list of enterprises grappling with social engineering schemes that exploit human vulnerabilities rather than technical flaws. Security experts urge organizations to reinforce employee training and implement multi-layered authentication to counter such threats.
Editor’s note: This article was updated to reflect connections between the Workday breach and broader Salesforce-targeted attacks.
(Source: Bleeping Computer)