The recent breach of data from Workday's third-party CRM system is more than just another headline; it's a powerful case study in the evolution of cybercrime. The incident, linked to the notorious extortion group ShinyHunters, underscores a critical reality: a company's attack surface now extends far beyond its own network and into the hands of its employees and third-party vendors.
The key takeaway for cybersecurity professionals is a hard-earned lesson: in an age of sophisticated social engineering, the human element remains the most persistent vulnerability.
It wasn't an attack on Workday's core platform. Instead, the hackers executed a sophisticated social engineering campaign, primarily using "vishing" (voice phishing) and text messages to trick employees. As a Workday blog post stated, the attackers posed as HR or IT staff with the goal to "trick employees into giving up account access or their personal information."
While the compromised CRM vendor was not publicly named, multiple sources, including BleepingComputer and Computing UK, have linked the attacks to a broader campaign targeting the Salesforce CRM environments of major corporations. In those instances, attackers duped employees into authorizing malicious OAuth applications, which gave the hackers direct access to and control over company databases. The Workday breach appears to be a variation of this same playbook: exploit human trust to gain a foothold in a third-party system, then exfiltrate data.
The stolen data was "primarily commonly available business contact information," such as names, email addresses, and phone numbers. While Workday has maintained that there is "no indication of access to customer tenants or the data within them," security experts warn that this seemingly innocuous information is a goldmine for future social engineering campaigns. It provides the "in" needed for more personalized and effective attacks against Workday's customers.
Workday's response, while proactive in some ways, has drawn criticism. The company publicly disclosed the breach in a blog post and notified customers, but the initial communication from Workday was not without its questions. According to reports from Computing UK and other outlets, the company did not specify the affected third-party vendor, nor did it "entirely rule out" that customer information was compromised, which left some in the cybersecurity community wanting more transparency.
One LinkedIn poster, Javed Ikbal, a CISO, said the headline from the Workday blog, "Protecting You From Social Engineering Campaigns: An Update From Workday," should have added the words "because we had a data breach" to it.
Ikbal's full LinkedIn post:
"#Databreach? What databreach? We are only protecting you from social engineering (that may be caused by a databreach we suffered). That is the message conveyed by the innocuous-sounding headline Workday used to announce their databreach. So to make things clearer, I added the subtext in orange.
Some news outlets also reported that this particular blog post also came with a metatag of 'noindex' which told search engines to exclude it from search results. When I looked at the page source yesterday, I didn't see the 'noindex'—it is possible they changed it.
Either way, I hope whoever dreamed up that post title gets the 'weasel of the year' award.
Post summary:
- Workday's CRM (allegedly hashtag #Salesforce) was compromised through social engineering
- Between the lines: there was no MFA, or MFA was reset at the same time. AFAIK, Salesforce has mandatory MFA, so it was probably the latter
- This compromised the information Workday holds about the business contacts they have about their customers (name, email address, phone number, etc. of mostly HR/HRIS/Finance people)
- The actual information in the customer's tenant was not compromised
With the compromised information, social engineering may be possible, so the headline is not wrong, but that message belongs in the post, not in the headline announcing the breach."
Tech Editor Emil Protalinkski added on LinkedIn:
"Workday said that 'there is no indication of access to customer tenants or the data within them.'
In other words, the company could not explicitly rule out that customer information was taken.
This means that if your company uses Workday, or even if your company doesn't but you once applied to a company that does, your information could have been stolen.
Workday isn't acting above-board about the hack: it initially tried to hide its blog post that disclosed the breach from search engines.
Shame on you, Workday: the whole point of a breach notice is to let the public know, not just check an HR box."
However, the core of Workday's defense has been consistent and clear: the breach was not a result of a vulnerability in its own platform. In a statement to The Record, a company representative said, "There is no indication of access to customer tenants or the data within them. We acted quickly to cut the access and have added extra safeguards." Workday also used its customer communication to remind users of basic security practices—a move that, while standard, places the onus on the user.
This incident is not an isolated event. It is part of a larger, ongoing campaign by ShinyHunters (and their affiliates like Scattered Spider). The group has made headlines with similar data breaches at a long list of high-profile companies, including Google, Chanel, Pandora, Adidas, and Qantas—all tied to Salesforce hacks by the bad actor. The sheer number of victims points to a well-organized and persistent campaign that law enforcement, including the FBI, is actively tracking. In some cases, as reported by The Record, the groups responsible for these attacks have even trolled law enforcement on social media, demonstrating a level of impunity and brazenness.
For cybersecurity professionals, the Workday hack is another stark reminder of the shift from perimeter defense to a focus on user education and third-party risk management. The industry has become an interconnected web of trust, and a single, well-executed social engineering attack on a single employee can unravel that trust and lead to a data breach.