Workday Hit by Social Engineering Attack, Third-Party Data Exposed – Source: www.techrepublic.com

Workday, a leading provider of HR and financial software, confirmed that a recent social engineering scheme gave attackers entry to a third-party customer relationship management (CRM) platform. The breach did not compromise customer tenant systems or their stored data.

In a blog post on Friday, Workday said threat actors posed as internal staff through calls and text messages, deceiving some employees into sharing access details. While certain information was exposed, Workday stressed that its core platforms remained unaffected.

“We recently identified that Workday had been targeted and threat actors were able to access some information from our third-party CRM platform. There is no indication of access to customer tenants or the data within them,” Workday said in its statement.

Workday clarified that the stolen records primarily involved general business contact details, such as names, email addresses, and phone numbers — information that could be used in further social engineering scams.

Cybersecurity experts warn that even limited data of this kind can provide criminals with material for phishing or voice-based scams aimed at employees or customers.

According to BleepingComputer, which reviewed customer notifications, Workday detected the breach on Aug. 6. The company has not disclosed how many individuals or businesses were affected.

Similar to recent ShinyHunters attacks

Security researchers told BleepingComputer that the attack is consistent with a campaign linked to the ShinyHunters extortion group. That collective has been accused of exploiting Salesforce CRM systems at multiple global companies, among them Google, Adidas, Qantas, and Louis Vuitton.

In those cases, attackers reportedly trick employees into granting access to malicious apps within Salesforce systems, a tactic that enabled attackers to extract company data.

Workday’s added safeguards and tips for customers

Workday emphasized that it acted quickly once the breach was detected. “We acted quickly to cut the access and have added extra safeguards to protect against similar incidents in the future,” the company said.

In addition, Workday reminded customers that the company does not request sensitive details over the phone. “It’s important to remember that Workday will never contact anyone by phone to request a password or any other secure details. All official communications from Workday come through our trusted support channels,” the company added.

Read our report on how Apple’s password app slip exposed user security risks, and what this means for digital privacy in 2025.