Brinztech Alert: HR Giant Workday Discloses Data Breach via Third-Party CRM

Dark Web News Analysis: Workday Discloses Breach in Widespread ShinyHunters Campaign

Human resources giant Workday has disclosed that it was the target of a recent data breach after attackers compromised a third-party Customer Relationship Management (CRM) platform through a social engineering campaign. The incident is part of a much larger series of attacks targeting major global corporations. Workday, which serves over 60% of the Fortune 500, discovered the breach on August 6, 2025. The company has stated that the attack did not impact its core customer HR systems or tenants. The exposed information was limited to:

• Business Contact Information: Names, email addresses, and phone numbers of contacts stored in the company’s CRM system.
• Important Note: According to Workday, core customer HR data and production tenants were not impacted by this incident.

Key Cybersecurity Insights

This incident highlights a sophisticated, ongoing campaign by a major threat actor that leverages social engineering and abuses trusted cloud platforms.

• Part of a Massive “ShinyHunters” Campaign Targeting Salesforce: This is not an isolated attack on Workday. It is part of a broad and highly successful campaign attributed to the notorious ShinyHunters extortion group. This same campaign has recently breached other major brands, including Google, Adidas, Allianz Life, and Louis Vuitton, with the common vector being the company’s Salesforce CRM instance.
• Social Engineering and Malicious OAuth Apps as the Entry Point: The attackers are not exploiting a software vulnerability in Salesforce itself. Instead, they are using sophisticated social engineering and voice phishing (“vishing”) to trick employees into granting a malicious OAuth application access to their company’s Salesforce environment. Once an employee authorizes the app, it is used to exfiltrate the CRM database.
• Exposed Contact Data Fuels Further Social Engineering: While Workday has clarified that no core HR data was lost, the stolen business contact list is a valuable asset for attackers. This verified list of names, emails, and phone numbers will be used to launch highly credible and targeted phishing scams against Workday’s own employees, partners, and the customers whose contact information was exposed.

Critical Mitigation Strategies

The tactics used in this campaign show that defending against modern threats requires a strong human firewall and strict control over third-party application integrations.

• For All Organizations: Train Employees to Spot Social Engineering and OAuth Attacks: The primary defense against this campaign is the human layer. Employees must be continuously trained to recognize the signs of social engineering, voice phishing, and, crucially, to be extremely cautious of any unexpected requests to authorize third-party applications (OAuth), even if the request appears to come from an internal department like IT or HR.
• For All Organizations: Audit and Control Third-Party App Integrations: Security and IT teams must regularly audit all third-party applications connected via OAuth to critical platforms like Salesforce, Microsoft 365, or Google Workspace. It is vital to implement strict policies to control which applications can be authorized and by whom, and to enforce the principle of least privilege.
• For Workday and its Customers: Be on High Alert for Targeted Phishing: The stolen contact list will almost certainly be used for follow-on attacks. Workday’s employees, partners, and any customers whose contact information was stored in the CRM should be explicitly warned to be vigilant for sophisticated phishing emails and calls that may use this stolen data to appear legitimate.

Secure Your Organization with Brinztech As a cybersecurity service provider, Brinztech can help protect your organization from the types of threats discussed in this article. If you are interested in securing your business, please contact us to learn more about our services.

Have Questions or Feedback? For any questions or feedback regarding this incident, we offer several options:

• Ask an Analyst: You are encouraged to use our ‘Ask to Analyst’ feature to consult directly with a cybersecurity expert.
• General Inquiries: For any other questions, feel free to contact Brinztech directly.
• Report this Post: If you find the information irrelevant or need to report this post for any reason, please let us know.

You can reach us at: contact@brinztech.com