Workday warns of CRM breach after social engineers make off with business contact details – Source: go.theregister.com

Workday has admitted that attackers gained access to one of its third-party CRM platforms, but insists its core systems and customer tenants are untouched.

In a short blog posted late last week, Workday disclosed that crooks sweet-talked staff by posing as HR or IT, and in doing so waltzed off with “some information” from an unnamed CRM system.

The company stressed there was “no indication” anyone had obtained customer data stored inside Workday’s flagship SaaS apps.

“We acted quickly to cut the access and have added extra safeguards to protect against similar incidents in the future,” Workday said, while failing to mention how long the attackers had access or what exact measures were taken to avoid such future incidents.

The biz hasn’t said which CRM platform was targeted either, but said the attackers’ loot appears to be limited to “primarily commonly available business contact information, like names, email addresses, and phone numbers” – the sort of stuff that can grease the wheels of future phishing or vishing scams.

Workday spokesperson Kirin May told The Register: “We’re one of several companies targeted by a sophisticated social engineering scam. All signs show that our customers’ Workday data remains secure. Some commonly available business contact information was accessed, and we’ve informed our customers and partners so they can protect themselves from similar campaigns. We’ve also adopted additional security measures internally to protect our own employees.”

While Workday avoided naming names, infosec watchers have already linked the intrusion to ShinyHunters, the crew blamed for a string of Salesforce-related heists in recent weeks. The group’s playbook is heavy on social engineering: calling staff while posing as IT or HR, then slipping in malicious OAuth apps to quietly drain cloud systems. Victims are said to include Adidas, Qantas, Dior, Tiffany & Co, Chanel, Cisco, Google, and Allianz Life, among others.

• Workday promises to grow workforce slowly and differently after shedding 1,750 jobs
• Workday handed no-bid deal to fix staffing meltdown at Uncle Sam’s uber-HR agency
• UK finance watchdog spends millions ‘enhancing’ Workday software rolled out 4 years ago
• Workday talks up AI agents platform that will reap rewards of staff cuts

The timing certainly lines up. According to Bleeping Computer, Workday discovered the compromise almost two weeks ago, on August 6. It’s since “notified affected customers,” though the company didn’t respond to The Register‘s questions about how many were caught up in the breach. 

For ShinyHunters, the Workday caper would be just the latest notch on the belt. The gang has made a name for itself flogging stolen data on underground forums and running brazen extortion schemes.

Over the weekend, it emerged that the group has been chumming up with some equally notorious names. As El Reg reported, ShinyHunters, Scattered Spider, and Lapsus$ appear to be swapping tips – and perhaps targets – in a shared Telegram hangout. Cybercrime cartels, it seems, are back in fashion. ®