A social engineering attack on a third-party CRM platform tied to HR platform Workday allowed threat actors to steal business contact data, raising alarms over targeted phishing risks.
At a Glance
- The breach occurred on August 6, 2025, but was publicly disclosed by Workday in mid-August
- Exposed data included names, email addresses, and phone numbers—business contact information—from a third-party CRM platform
- Workday confirmed no customer tenant data or internal systems were compromised
- The breach aligns with a wave of attacks targeting Salesforce CRM systems, associated with the ShinyHunters group
- Workday is urging vigilance in the face of potential phishing or vishing attempts using the leaked contact data
The Breach Unfolds
On August 6, 2025, Workday detected unauthorized access to a third-party customer relationship management (CRM) platform following a social engineering campaign. Attackers impersonated HR or IT staff, contacting Workday employees via phone or text—likely to trick them into revealing access to key systems.
Watch now: Would you fall for it? More Salesforce Carnage, Workday … · YouTube
Workday’s public disclosure a week later clarified that while contact data—names, emails, phone numbers—was exposed, customer tenant data and core internal data remained secure.
A Strategic Pattern of CRM Exploitation
Experts have linked the Workday incident to a broader campaign targeting Salesforce CRM platforms. The notorious threat group ShinyHunters (also known as UNC6040) is suspected to be behind coordinated attacks that have hit organizations including Google, Pandora, Adidas, Qantas, Chanel, and others.
These campaigns typically employ voice phishing (vishing) or other social engineering tactics to convince employees to authorize malicious OAuth apps, granting attackers unauthorized data access. Once inside, the attackers exfiltrate data and may initiate extortion attempts.
Workday’s Response and What Lies Ahead
Workday has responded by cutting off access, notifying affected parties, and reinforcing its security measures—including employee training and detection capabilities. It also reminded employees that Workday will never request credentials over the phone.
Security experts warn that exposed contact details—though not highly sensitive on their own—can significantly aid subsequent phishing campaigns, serving as building blocks for more sophisticated attacks.
Sources
Click this link for the original source of this article.
Author: Editor
This content is courtesy of, and owned and copyrighted by, https://thecongressionalinsider.com and its author. This content is made available by use of the public RSS feed offered by the host site and is used for educational purposes only. If you are the author or represent the host site and would like this content removed now and in the future, please contact USSANews.com using the email address in the Contact page found in the website menu.
