A New Corporate Victim in a Broader CRM Exploitation Campaign
Workday, one of the world’s leading human capital management (HCM) software providers, has confirmed it was impacted in a recent string of coordinated cyberattacks targeting Salesforce CRM instances through sophisticated social engineering. While the company says no customer tenants or internal systems were compromised, attackers did gain access to business contact data stored in a third-party system.
The breach, discovered on August 6, was disclosed publicly in a blog post on Friday, with direct customer notifications issued separately.
“Threat actors were able to access some information from our third-party CRM platform,” Workday stated. “There is no indication of access to customer tenants or the data within them.”
Who Is Behind the Attack?
Though Workday did not name the perpetrators, BleepingComputer and others have linked the breach to a broader campaign attributed to ShinyHunters, a notorious extortion group previously responsible for breaches at AT&T, Snowflake, and PowerSchool.
The attackers reportedly contacted employees by phone or text, impersonating HR or IT staff in an attempt to gain trust and obtain credentials. This tactic is part of an expanding toolkit of voice phishing (vishing) and OAuth app abuse used to trick employees into granting malicious applications access to their company’s Salesforce environment.
Once access is gained, the attackers exfiltrate data and, in many cases, follow up with extortion demands. Past victims of this same campaign include Adidas, Qantas, Allianz Life, Louis Vuitton, Dior, Tiffany & Co., Chanel, Pandora, and Google.
What Was Exposed?
According to Workday, the compromised data included “commonly available business contact information,” such as:
- Names
- Email addresses
- Phone numbers
While not classified as sensitive on its own, this type of data is highly useful to threat actors conducting subsequent phishing attacks, impersonation attempts, or credential-harvesting campaigns.
Workday emphasized that no customer environments were accessed, and there’s no indication that employee or HR data from its platform was breached. The attack appears to be contained to the CRM layer.
The Salesforce Threat Surface
Salesforce, as the leading CRM provider, has become a high-value target. These recent breaches follow a consistent pattern:
- Social Engineering: Attackers impersonate internal staff via voice, text, or email.
- OAuth Abuse: Victims are tricked into authorizing malicious apps.
- Data Theft: CRM records are exported, often including names, emails, deal data, and communications.
- Extortion: Companies are contacted with threats of data exposure unless a ransom is paid.
Despite Salesforce’s security features, these attacks bypass conventional defenses by preying on human trust and organizational complexity. Companies relying on CRM platforms must now assume that those integrations are part of their threat surface.
What Comes Next
While Workday has not confirmed any extortion demands or data leaks, the company’s inclusion in the same attack wave as other global brands suggests a high risk of follow-up threats. Monitoring for phishing, impersonation, or fraudulent activity tied to the exposed contact data will be essential.
The industry at large should take this as further proof that attackers are evolving, and the soft spots are now in communication tools, not servers.
Customers should remain alert to suspicious communications, especially those purporting to be from Workday representatives.
Workday will likely face scrutiny over third-party risk management practices and may need to reassess its CRM data governance posture.
