SaaS provider Workiva reports customer data breach in Salesloft instance
Learn More
Workiva, a cloud-based Software as a Service (SaaS) provider is reporting a data breach after attackers gained unauthorized access to the company's third-party customer relationship management (CRM) system.
The cyberattack was carried out as part of a broader campaign by the ShinyHunters extortion group, targeting Salesforce instances of multiple high-profile organizations.
The attack was executed first with voice phishing (vishing) techniques, then shifted to using stolen OAuth tokens for Salesloft's Drift AI chat integration with Salesforce to gain access to customer Salesforce instances. The attackers contacted Workiva employees pretending to be from the company's IT support department, tricking them into authorizing access to the organization's Salesforce CRM platform through malicious OAuth applications.
The compromised data includes:
- Names of customers and contacts
- Email addresses
- Phone numbers
- Support ticket content and communications
The number of affected individuals was not disclosed by Workiva. The breach potentially impacts a substantial customer base, as Workiva had 6,305 customers at the end of last year and reported revenues of $739 million in 2024. Its customer list includes 85% of the Fortune 500 companies and high-profile clients such as Google, T-Mobile, Delta Air Lines, Wayfair, Hershey, Slack, Cognizant, Santander, Nokia, Kraft Heinz, Wendy's, Paramount, Air France KLM, Mercedes-Benz and others.
The company emphasized that the core Workiva platform and customer data remained secure, stating "the Workiva platform and any data within it were not accessed or compromised" and that "our CRM vendor notified us of unauthorized access via a connected third-party application"
The company warned affected customers to be careful about potential spear-phishing attacks that could exploit the stolen contact information.
