Workday CRM platform hit by hackers, suspected link to Salesforce attackers
HR solutions company Workday reveals unknown threat actors have successfully breached its third-party CRM platform using advanced social engineering tactics, echoing a recent wave of Salesforce-related attacks.
-
Workday’s third-party CRM platform was breached via vishing attacks linked to ShinyHunters and Salesforce intrusions.
-
Hackers accessed business contact details, raising risks of spear phishing and fraud.
-
Security experts tell Cybernews stronger employee training and authentication measures are needed to combat social engineering.
The San Francisco-based company posted an update on its website on Friday, alerting its customers about the attack, first detected on August 6th.
“We want to let you know about a recent social engineering campaign targeting many large organizations, including Workday,” the company said.
Workday then explained how the hackers gained unauthorized access to its unnamed Customer Relationship Management (CRM) platform, citing tactics similar to those used by the notorious Shiny Hunters (UNC6240) gang in a rash of summer attacks targeting dozens of Salesforce environments.
“In this campaign, threat actors contact employees by text or phone, pretending to be from human resources or IT,” Workday said, a social engineering tactic known as "vishing" or voice phishing.
Founded in 2005, Workday is a cloud-based software-as-a-service (SaaS) platform that specializes in human resources and financial management, the company’s newsroom states.
With close to 20,000 employees and more than 11,000 customers worldwide, the newsroom says the Workday customer community represents over 70 million users under contract, pulling in over $8.4 billion in annual revenue for 2024.
The conversation on this topic is live. Join in the discussion.
Vishing attacks fool employees – yet again
“Much like other recent CRM data thefts, the attackers used social engineering to trick employees into granting them access to the platform, after which data was exfiltrated,” said William Wright, CEO of Closed Door Security.
Workday said the hackers only were able to access “primarily commonly available business contact information,” including names, email addresses, and phone numbers – presumably “to further their social engineering scams.”
Still, even with commonly available information, Wright points out that it can be "a big blow to customer trust," citing the risk of more targeted spear phishing and fraud.
Furthermore, Wright says the growing list of ShinyHunters Salesforce-linked breaches indicates "the critical need to train employees on the more sophisticated forms of social engineering.”
“At this point, employees are familiar with traditional email phishing campaigns, but, as this attack has demonstrated, ’vishing’ is extremely effective because many employees have not been trained to expect it,” Wright said.
Workday has also said there is “no indication of access to customer tenants or the data within them,” reminding customers that Workday will always use “trusted support channels for official communication."
“It’s important to remember that Workday will never contact anyone by phone to request a password or any other secure details,” it said.
More employee training is paramount
Juliette Hudson, CTO of CybaVerse, agrees that the nature of the attack – using social engineering to penetrate Workday's CRM platform – points to ShinyHunters as the likely perpetrator.
“Training employees to understand and prepare for vishing is a good start, but it may not be enough on its own, especially as the impersonation employed by threat actors becomes more sophisticated,” she said.
In a March 2025 blog, Salesforce warned customers of vishing attacks resulting in the data exfiltration of roughly 20 companies using a modified version of Salesforce’s Data Loader – a tool used to bulk import data into Salesforce environments.
In June, Google’s threat intelligence arm, Mandiant, identified Shiny Hunters (UNC6240) as the hacking group behind the campaign, which industry researchers believe has either merged or is working in tandem with M&S hackers, the Scattered Spider ransomware group.
“From Chanel to Google, this group has successfully attacked a swathe of companies using the same method, and their success shows how critical voice phishing and other sophisticated social engineering attacks are for organizations,” Hudson said.
Other major Salesforce victims in recent months have included Coca-Cola, Cisco, Australia’s Qantas airline, Allianz Life insurance company, Adidas, and Louis Vuitton luxury goods maker LVMH.
Hudson says “to defend themselves, companies need to consider more stringent measures regarding their internal authentication and security practices,” adding that “without better protocols, even well-trained employees are at risk of being fooled.”
The CTO suggests companies should implement some form of internal authentication controls.
“For example, if help desk employees were required to verify themselves when on the phone with employees before any sensitive data could be shared, these vishing attacks would become much more difficult to perform successfully,” she said.
Workday said as soon as it became aware of the breach, it quickly cut access and has since added extra safeguards to prevent similar intrusions.
