Workday, a giant in the HR and financial management arena, is the latest victim of a data breach linked to a third-party customer relationship management (CRM) platform.
The company, which pulled in more than $8.4 billion in revenue in its fiscal year 2025 and has more than 20,400 employees around the world, alerted customers late last week about the incident in a brief statement, pointing to a “recent social engineering campaign targeting many large organizations, including Workday.”
“In this campaign, threat actors contact employees by text or phone pretending to be from human resources or IT,” the company wrote. “Their goal is to trick employees into giving up account access or their personal information.”
The threat actors were able to access some “commonly available business contact information” from Workday’s third-party CRM platform, including names, email addresses, and phone numbers. While the company said the hackers did not get access to customer tenants or the data they hold, they stressed that the information they did gain could be used in future social engineering scams.
Workday said it cut the access the bad actors had and added more safeguards to protect against similar attacks in the future. In addition, the company reiterated that it will never contact a customer by phone and ask for a password or other secure details, with all communications from it coming through support channels.
ShinyHunters Strikes Again
While Workday didn’t disclose who the attackers were, reports say the company was victimized by ShinyHunters, a group that has ramped up its attacks after what researchers with cybersecurity firm ReliaQuest wrote this month was “a year of inactivity.”
They also wrote in a report about a likely connection between ShinyHunters and Scattered Spider, a high-profile ransomware group that has made headlines this year by targeting a range of industries, from retailers to insurance companies to airlines.
“’ShinyHunters’ has resurfaced with a wave of attacks on Salesforce, targeting high-profile companies across various sectors,” they wrote. “ReliaQuest has identified a coordinated set of ticket-themed phishing domains and Salesforce credential harvesting pages, likely created for similar campaigns. This resurgence has sparked speculation about collaboration between ShinyHunters and ‘Scattered Spider,’ potentially dating back to July 2024.”
Google Falls Victim After Warning Others
Some of the well-known companies that have fallen victim to ShinyHunters include Chanel, Pandora, Adidas, and Qantas. Google’s Threat Intelligence Group (GTIG) in June wrote about the accelerating efforts by ShinyHunters – also known as UNC6240 – to attack organizations, including the possibility that it would create a data leak site to increase pressure on victims, including those hit in the Salesforce-related breaches.
On August 5, Google updated the report to say one of its corporate Salesforce instances used to store contact information and other data for SMBs was attacked by ShinyHunters, adding that “the data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details.”
Links to Scattered Spider
According to ReliaQuest, several points appear to link ShinyHunters with Scattered Spider. In the latest surge of attacks, ShinyHunters adopted “hallmark Scattered Spider techniques,” including highly targeted vishing campaigns impersonating support staff, apps that appear to be legitimate tools – like Salesforce – Okta-themed phishing pages, and VPN obfuscation using the Mullvad VPN for data exfiltration.
Both threat groups are also part of what’s known as The Com, which ReliaQuest described as “a sprawling network of disparate sub-groups and cliques that engage in account takeover activity, SIM-swapping, cryptocurrency theft, swotting, and sextortion. Some sub-groups have even engaged in more extreme activities like ‘violence for hire’ and coercing individuals into self-harm.”
Social Engineering
Varonis researchers this month detailed ShinyHunters’ tactics, with threat actors using a combination of live calls and automated phone systems with pre-recorded messages and interactive menus to gather such information as internal application names, support team contacts, and company-wide technical issues.
They then contact their targets directly, with the attacker impersonating IT support and instructing the victim to install a modified and malicious version of Salesforce’s Data Loader, a legitimate tool for moving and update Salesforce data en masse.
Victims are led to Salesforce’s connected app setup page and told to authorize the malicious app, which gives the ShinyHunters hacker access to the target’s Salesforce environment to steal customer and operational data. They can then move laterally through the network, collecting credentials and sensitive data from systems.
“Salesforce environments are increasingly targeted by threat actors like UNC6040 and Scattered Spider due to the rich customer, sales, and operational data they contain,” Varonis wrote. “These breaches didn’t stem from vulnerabilities in Salesforce itself. Instead, attackers exploited human trust and workflow gaps — impersonating IT support, abusing helpdesk protocols, and leveraging Salesforce’s OAuth model to maintain persistent access.”
No Relief in Sight
“The Workday breach is just the latest example showing that this summer’s cyberattacks aren’t easing off,” said Pat Larkin, president of security-first MSP Ekco Security. “Attackers continue to target users, whether internal or in the supply chain, because it works. … The end user and your supply chain are often the weakest links, and that’s exactly what threat actors exploit.”
Companies and their employees need to understand the threat, with workers having the right tools and education and the corporate-backed authority to challenge requests even if they appear legitimate.
“Ultimately, this is about business continuity,” Larkin said. “You need more than alerts. You need eyes on those alerts, a plan behind them, and confidence that if something does go wrong, you’re ready. That means frequent testing, clear ownership, and a strong mix of people, process, and technology.”
