What happened to Workday?

Workday, the California-based human resources and financial management software giant, experienced a data breach after hackers compromised their CRM platform through a social engineering attack. The company discovered the breach on August 6, 2025, and publicly reported it on August 15.

When was the Workday data breach discovered and reported?

The Workday data breach was discovered on August 6, 2025, and the company publicly reported it on August 15, 2025.

What type of data was exposed in the Workday breach?

The exposed data includes names, email addresses, and phone numbers. The number of affected individuals has not been disclosed by Workday.

What is Workday and what services do they provide?

Workday is a California-based human resources and financial management software giant that provides enterprise software solutions for HR, finance, and other business operations.

What platforms did the attackers target in this campaign?

The attackers specifically targeted Salesforce CRM instances across multiple organizations, using social engineering to gain access to these customer relationship management platforms.

How should employees identify legitimate Workday communications?

According to Workday, the company will never contact anyone by phone to request passwords or other secure details. All official communications come through trusted support channels, not unsolicited phone calls or text messages requesting sensitive information.

What is the significance of targeting Salesforce CRM platforms?

Salesforce CRM platforms often contain valuable customer and business data including contact information, business relationships, and operational details. By targeting these platforms through OAuth application compromise, attackers can access large amounts of sensitive business and customer data.

Incident

HR ciant Workday reports data breach caused by Salesforce social engineering attack

Q: Which threat group was responsible for the Workday attack?

The attack is attributed to the ShinyHunters extortion group, which has been targeting Salesforce CRM instances through voice phishing and social engineering attacks since the beginning of 2025.

Q: Is this part of a larger attack campaign?

Yes, this data breach is part of a coordinated campaign that has affected at least 91 organizations worldwide, including high-profile companies such as Adidas, Qantas, Allianz Life, Louis Vuitton, Dior, Tiffany & Co., Chanel, and Google.

Q: What warning did Workday give to customers about legitimate communications?

Workday cautioned customers that the company will never contact anyone by phone to request passwords or other secure details, emphasizing that all official communications come through trusted support channels.

Q: What is the ShinyHunters group and what are their tactics?

ShinyHunters is an extortion group that has been targeting Salesforce CRM instances through voice phishing and social engineering attacks since the beginning of 2025, using impersonation tactics to trick employees into authorizing malicious OAuth applications.

Q: How did the attackers use OAuth applications in this attack?

The attackers tricked Workday employees into linking malicious OAuth applications to their company's Salesforce instance. Once the malicious OAuth app was authorized, the attackers used this legitimate connection to download and steal data from the company's databases.

published: Aug. 18, 2025

Learn More

Workday, the California-based human resources and financial management software giant, reports a data breach after hackers compromised a their (CRM) platform through a social engineering attack

The company discovered the breach on August 6, 2025, and publicly reported it on August 15. The attack is part of a broader social engineering campaign attributed to the ShinyHunters extortion group, which has been targeting Salesforce CRM instances through voice phishing and social engineering attacks since the beginning of 2025.

Threat actors contacted Workday employees via text messages and phone calls, impersonating human resources and IT personnel to trick staff into linking malicious OAuth applications to their company's Salesforce instance. Once the malicious OAuth app was authorized, the attackers used the connection to download and steal data from the companies' databases.

Exposed Data includes:

Names
Email addresses
Phone numbers

The number of affected individuals is not disclosed.

This data breach is part of a coordinated campaign that has affected at least 91 organizations worldwide, including high-profile companies such as Adidas, Qantas, Allianz Life, Louis Vuitton, Dior, Tiffany & Co., Chanel, and Google.

The company cautioned customers that Workday will never contact anyone by phone to request passwords or other secure details, emphasizing that all official communications come through trusted support channels.

HR ciant Workday reports data breach caused by Salesforce social engineering attack

Read More
Microsoft leaks employee credentials and data via unprotected …
Cybersecurity company Qualys confirms data breach caused by …
FIA, governing body of Formula 1 reports data …
Hugging Face AI platform reports breach of authentication …
Everest ransomware gang's leak site hacked and defaced