Workday, one of the world’s leading providers of human resources and financial management software, has confirmed a data breach that exposed business contact information through a third-party CRM platform, not its core HR or financial systems. Discovered on August 6, 2025, the breach revealed names, email addresses, and phone numbers—data that, while not highly sensitive, could be leveraged in future social engineering or phishing attacks. Workday emphasized that no customer tenant environments or core customer data were accessed, and reminded users that the company will never request credentials or sensitive information by phone, urging vigilance in verifying communication channels.
The breach appears connected to a wider campaign attributed to ShinyHunters, also known as UNC6040/UNC6240, a cybercriminal collective notorious for large-scale social engineering attacks. ShinyHunters and affiliated groups such as Scattered Spider have been targeting Salesforce CRM environments by impersonating IT staff in voice phishing (vishing) campaigns. Employees are tricked into authorizing malicious OAuth applications disguised as legitimate tools, such as modified “Data Loader” apps. Once granted, these apps gain API-level access, bypassing multi-factor authentication and allowing attackers to extract massive volumes of customer data.
This tactic has already impacted global giants like Google, Adidas, Qantas, Cisco, Air France–KLM, Allianz Life, Coca-Cola, and luxury brands under LVMH. While passwords and payment card details were not compromised in these cases, millions of customer contact records—including loyalty program info and purchase histories—were stolen and weaponized in extortion attempts. In one brazen move, ShinyHunters even demanded 20 Bitcoins from Salesforce CEO Marc Benioff, threatening to leak records from over 90 organizations.
The Workday breach underscores the growing supply chain risk inherent in enterprise SaaS ecosystems. Even when core platforms remain uncompromised, third-party integrations and human error provide powerful entry points for attackers. Experts warn that the human factor is the weakest link—sophisticated technical defenses can still be undermined by a persuasive phone call.
Mitigation strategies include restricting who can authorize connected applications, enforcing least privilege scopes, auditing and whitelisting apps, enforcing strong MFA across all user and API flows, and conducting regular vishing simulations to train staff. As the ShinyHunters campaign shows, security awareness and process discipline are just as critical as technology in defending against today’s most effective threats.
#WorkdayBreach #CRMhack #ShinyHunters #SalesforceSecurity #OAuthAttack #Vishing #SocialEngineering #DataBreach #WorkdaySecurity #CyberExtortion #ScatteredSpider #ScatteredLapsus #EnterpriseSecurity #APISecurity #SupplyChainRisk
