Workday has disclosed a data breach after attackers accessed a third-party customer relationship management platform in a social engineering incident. The HR giant, headquartered in Pleasanton, California, employs more than 19,300 people and serves over 11,000 organizations, including more than 60% of the Fortune 500. The company says no customer tenants or tenant data were touched.
In a Friday update, Workday said attackers reached some information stored in the external CRM. The firm tied the event to a broader campaign hitting large companies and emphasized that internal production environments remained out of scope.
“We recently identified that Workday had been targeted and threat actors were able to access some information from our third-party CRM platform. There is no indication of access to customer tenants or the data within them,” the company said.
Workday notified potentially affected customers that the breach was identified on August 6. The company also warned that threat actors are contacting employees by text or phone, posing as HR or IT to solicit account access or personal details.
What Workday Says Was Accessed And What Was Not
Workday describes the exposed records as business contact information that is often already available, but still useful to adversaries running phishing and voice-phishing operations.
Limited data types referenced include:
- Names
- Corporate email addresses
- Work phone numbers and office locations
- Job titles and related business contact details
The company reiterated that customer tenants were not accessed and that the incident involved a third-party CRM system, not Workday’s core HR or finance platforms.
Salesforce-Linked Campaign And ShinyHunters’ Extortion Pattern
While Workday did not name the provider, the disclosure matches a Salesforce data-theft campaign attributed to the ShinyHunters extortion group. In that activity, attackers convince employees to authorize a malicious OAuth app to the company’s Salesforce instance. Once the OAuth connection is in place, databases can be copied and later used in email extortion.
Other high-profile organizations have reported related breaches this year, including Adidas, Qantas, Allianz Life, Louis Vuitton, Dior, Tiffany & Co., Chanel, and most recently Google. The extortion notes reference ShinyHunters, a group linked to earlier large-scale incidents, including attacks connected to Snowflake, AT&T, and PowerSchool.
Workday states the current operation is social-engineering-driven. The actors reportedly use corporate-style messaging to prompt users to act quickly and approve OAuth access or share credentials over the phone.
