Workday has confirmed a data breach stemming from a third-party CRM compromise, following a broader social engineering campaign impacting several global enterprises. In a blog post, the HR software giant disclosed that attackers accessed business contact information stored in Salesforce—without breaching customer tenants or internal systems. Workday emphasized that the compromised data included names, emails, and phone numbers, likely intended for further phishing or impersonation attempts.
The breach was discovered on August 6, and Workday notified affected customers shortly thereafter. Attackers reportedly posed as HR or IT representatives through text and phone calls in an effort to deceive employees into revealing sensitive access credentials. Though the leaked data was described as “commonly available,” it still presents a risk for downstream social engineering or credential phishing schemes targeting Workday customers and employees.
This breach is part of a broader attack campaign linked to the ShinyHunters extortion group, which has recently targeted high-profile companies via Salesforce. Victims are tricked into connecting malicious OAuth apps to their CRM platforms, enabling attackers to siphon data and extort companies. Other recent victims include Google, Adidas, Qantas, and several luxury brands, highlighting the scale and sophistication of the threat actors’ tactics.
If your medical or healthcare organization uses Workday, monitor your online accounts and the dark web for potential data leaks stemming from the incident.
