Workday, a prominent human resources and financial management software provider, disclosed a data breach stemming from a social engineering attack that compromised a third-party customer relationship management (CRM) platform. The attackers exploited employee trust through impersonation tactics (posing as HR or IT) to gain unauthorized access to sensitive business contact information.
Severity Level: High
Incident Overview
- Date Breach Discovered: August 6, 2025
- Date Disclosed Publicly: August 15, 2025
- Attack Type: Social engineering (voice phishing, text phishing) and CRM compromise
- Systems Impacted: Third-party CRM (likely Salesforce)
- Workday Core Systems/Customer Tenants: Not affected
How The Breach Happened
- Initial Vector: Social engineering (phishing + voice phishing) directed at employees.
- Impersonation Tactics: Attackers contacted employees pretending to be internal staff (HR or IT), via phone calls or SMS.
- Credential Harvesting: Victims were manipulated into authenticating malicious OAuth apps.
- CRM Exploitation: These OAuth apps granted attackers access to the CRM environment integrated with Workday.
- Data Exfiltration: Business contact data was harvested for potential use in further scams or fraud.
- This incident is consistent with the ShinyHunters campaign that leverages malicious OAuth apps to extract CRM data and extort companies.
Data Exposed
- The compromised information was primarily business contact details, such as: Names, Email addresses, Phone numbers
- While this data is not highly sensitive, it significantly increases the risk of secondary phishing, impersonation, and extortion attempts targeting Workday clients and employees.
Threat Actor Profile
- Suspected Group: ShinyHunters
- Motivation: Data theft and extortion campaigns.
- TTPs Observed:
- Voice phishing (vishing) and SMS phishing (smishing)
- Malicious OAuth app integrations to Salesforce CRM
- Credential harvesting and unauthorized data extraction
- Notable Victims in Same Campaign: Adidas, Qantas, Allianz Life, Louis Vuitton, Dior, Chanel, Google, etc.
- Historical Activity: Linked to Snowflake, AT&T, and PowerSchool breaches.
- Threat Level: High, due to global scale and persistent targeting of CRM/SaaS platforms.
Lessons Learned
- Even when customer core systems are not breached, third-party platforms can serve as weak links in the security chain.
- Exposed business contact details, though seemingly low risk, can be leveraged for larger-scale phishing and impersonation campaigns.
- Attackers increasingly exploit OAuth integrations and SaaS connections, making governance of third-party apps critical.
Recommendations
- Conduct mandatory phishing and vishing simulation exercises to help employees detect impersonation attempts.
- Establish a clear reporting mechanism for suspicious emails, calls, or texts.
- Enforce multi-factor authentication (MFA) for all CRM and SaaS accounts, with adaptive MFA based on login context.
- Apply least-privilege access controls for CRM data to minimize exposure of non-essential information.
- Periodically audit employee access and revoke unused CRM accounts.
- Implement strict OAuth app approval workflows for Salesforce and other CRM platforms.
- Continuously monitor for unverified or malicious app integrations, a common vector used in ShinyHunters campaigns.
- Regularly review and security-test CRM and SaaS vendors for resilience against social engineering campaigns.
- Limit the type of customer data stored in CRM to reduce breach impact.
Source:
- https://blog.workday.com/en-us/protecting-you-from-social-engineering-campaigns-update-from-workday.html
- https://www.bleepingcomputer.com/news/security/hr-giant-workday-discloses-data-breach-amid-salesforce-attacks/
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.