Workday confirms data breach amid wave of Salesforce-linked cyberattacks

The attackers reportedly contacted employees via phone calls and text messages

Human resources software giant Workday has disclosed a data breach following a social engineering attack that compromised a third-party customer relationship management (CRM) platform.

In a blog post on Friday, the California-based firm said attackers accessed some information stored on its CRM systems after targeting employees in a campaign that has also ensnared multiple global organisations.

However, Workday stressed that no customer tenants or their data were affected.

"We want to let you know about a recent social engineering campaign targeting many large organisations, including Workday," the company said.

"We recently identified that Workday had been targeted and threat actors were able to access some information from our third-party CRM platform. There is no indication of access to customer tenants or the data within them."

According to the company, the attackers gained access to primarily business contact details, such as names, phone numbers and email addresses, that could be exploited for further social engineering scams.

A notification sent to customers revealed the breach was detected on 6th August, almost two weeks before Friday's disclosure.

The attackers reportedly contacted employees via phone calls and text messages, posing as members of HR or IT to manipulate them into sharing account access or personal data.

Workday, which employs more than 19,300 people across North America, Europe, the Middle East, Africa and Asia-Pacific, serves over 11,000 organisations globally. That scale makes any potential breach a matter of concern for corporate security teams.

Part of a larger campaign?

Although Workday did not directly confirm the link, the attack aligns with a wider campaign targeting Salesforce CRM instances, widely attributed to the ShinyHunters extortion group.

This wave of intrusions has affected a string of prominent companies worldwide, including Adidas, Allianz Life, Dior, Qantas, Louis Vuitton, Tiffany, Chanel and even Google.

The campaign, believed to have begun earlier this year, uses social engineering and voice phishing tactics to trick employees into approving malicious OAuth applications connected to their organisations' Salesforce environments.

Once granted access, attackers exfiltrate company databases and later attempt to extort victims via email.

ShinyHunters, a group with a long track record of high-profile breaches, has also been linked to the notorious Scattered Spider collective. The latter has carried out ransomware operations against several UK retailers in 2025. ShinyHunters previously made headlines in connection with attacks on Snowflake, AT&T and PowerSchool.

In response to the incidents, Salesforce issued a statement earlier this month, claiming that its core platform remains secure.

"Salesforce has not been compromised, and the issues described are not due to any known vulnerability in our platform," the company said.

"While Salesforce builds enterprise-grade security into everything we do, customers also play a critical role in keeping their data safe - especially amid a rise in sophisticated phishing and social engineering attacks."

The company urged its clients to adopt security best practices, including enabling MFA, enforcing least privilege access, and closely monitoring connected apps.

Commenting on the Workday data breach, Kevin Marriott, senior manager of cyber and head of SecOps at Immersive, said CRM systems remain an attractive target.

"CRM tooling is often a key target for threat actors as they typically store limited, but valuable information that threat actors can either use themselves or sell on, with databases full of information that is useful such as email addresses and other personal information," he noted.

Marriott added that if Workday's breach is indeed linked to the broader Salesforce campaign, it signals a growing focus by cybercriminals on SaaS platforms rich in customer data.

"As this type of breach is technically easier to perform yet still highly effective, we could see even more threat actors adopting these tactics. Business leaders must be able to demonstrate cyber capabilities across their workforce through regular exercises and improve them through targeted skills development."