Workday, a cloud-based platform used for human capital managment and financial management, has disclosed a data breach after attackers gained access to a third-party CRM platform in a recent social engineering attack.
The company said bad actors contacted employees by text or phone, pretending to be from HR or IT. Their goal was to fool staff members into giving up account access or their personal information.
“We recently identified that Workday had been targeted and threat actors were able to access some information from our third-party CRM platform. There is no indication of access to customer tenants or the data within them. We acted quickly to cut the access and have added extra safeguards to protect against similar incidents in the future,” the company said.
Workday added that the attackers obtained information that was “commonly available business contact information, like names, email addresses, and phone numbers, potentially to further their social engineering scams.”
The company stressed that is important to remember that it will never contact anyone by phone to request a password or any other secure details. “All official communications from Workday come through our trusted support channels.”
However BleepingComputer reported that this incident is part of a slew of security breaches linked to the notorious ShinyHunters extortion group, which targets Salesforce CRM instances via social engineering and voice phishing attacks.
Many high-profile companies globally have been breached in this campaign, including Adidas, Qantas, Allianz Life, Louis Vuitton, Dior, Tiffany & Co, Chanel, and even Google.
These attacks are believed to have started at the beginning of the year, with malefactors tricking the targets’ employees into linking a malicious OAuth app to their company’s Salesforce instances through social engineering attacks.
A Shift in Mindset
David Stuart, Cybersecurity Evangelist at Sentra, says: “Salesforce environment-linked attacks keep coming. From Qantas to Pandora to Google – and now Workday, these breaches highlight that companies of all industries and sizes need to be extra aware of the security surrounding these environments.”
Stuart says although this incident mainly exposed publicly available business contact information for phishing purposes, it indicates a broader trend. “Attackers are focusing on where data is most concentrated, and often least visible — within cloud SaaS applications. Voice phishing tactics and other forms of social engineering are proving effective because the security model for SaaS platforms like Salesforce typically relies too heavily on perimeter controls and user authentication.”
He adds that firms need to shift their mindset. “it’s not just about securing systems, but understanding where sensitive data originates and lives, how it moves, and who touches it, and being proactive about ensuring its security posture. Without that baseline of visibility and control, even the most trusted cloud platforms can become data vulnerabilities.”
Difficult, Time-Consuming Methods
The rise in social engineering attacks by malicious actors should alarm any organization’s security team, adds Thomas Richards, Infrastructure Security Practice Director at Black Duck. “This also demonstrates that the attackers are out of other options and are resorting to more difficult and time-consuming methods to attack these organizations. Every piece of information they gain in these attacks can be used to conduct further campaigns and get closer to their goals.”
Richards says firms should put their employees on alert for any suspicious phone calls and texts, reminding them that HR and IT will never directly contact them for that information.
Attackers Don’t Stop at One Vendor
Chad Cragle, Chief Information Security Officer at Deepwatch says this is another reminder that in cybersecurity, breaches rarely happen in isolation, they ripple. “Attackers don’t stop at one vendor; they pivot across the ecosystem, looking for the next weak link. Think of it like a row of dominoes, once one falls, the rest are in play. For companies, the takeaway is simple; you can’t just trust your vendor’s perimeter, you need continuous monitoring, strong identity controls, and rapid detection baked into your own environment. Otherwise, you’re betting your business on someone else’s defense.”
The Same Playbook
The Workday CRM incident shows the same playbook seen in the Salesforce-linked campaigns, adds J Stephen Kowski, Field CTO at SlashNext. “Social profiles are hijacked or spoofed, users are lured into legit-looking login flows, and stolen tokens or OAuth grants give deep access fast.”
Kowski advises to block this at the point of click with real-time link and QR inspection across email, mobile, browsers, and chat—plus rapid analysis that catches lookalike domains and phishing kits hosted on trusted platforms. “Backstop with identity defenses that detect session theft and MFA bypass, and auto-revoke risky OAuth tokens while enforcing least privilege. Close the loop with live-intel phishing simulations so teams recognize the exact lures being used in these campaigns right now.”
A Manipulative Attack Method
Boris Cipot, Senior Security Engineer at Black Duck calls social engineering a manipulative attack method that relies on psychology and social interaction skills to deceive victims into releasing sensitive information.
“Attackers trick victims into performing actions that aid in gaining access to sensitive information, often requiring multiple interactions and “internal” information to appear legitimate, He adds.
To protect against social engineering, Cipot says companies should establish and enforce strict procedures for handling sensitive information, such as not providing information over the phone, even to high-ranking executives, including the CEO. “Employees should be aware of these procedures and understand that they will not be penalized for refusing to provide information or assist someone impersonating a superior.”
He stresses that the victims of the data breach should be careful. “Workday should remain cautious and be aware of potential scams, phishing attacks, and social engineering techniques. Although the breached information may be limited to commonly known business data in this case, individuals should still be vigilant to avoid falling prey to further attacks.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.