Overview

Workday—an industry leader in human capital management—has confirmed a breach of a third-party CRM platform, believed connected to a broader wave of Salesforce-related social engineering attacks. While its core environments remain intact, exposed business contact information raises alarm over the potential for follow-up phishing campaigns.

What Happened?

On August 6, 2025, Workday detected an unauthorized intrusion affecting its external CRM, though its internal systems—and particularly customer tenants—remained uncompromised. Attackers exploited social engineering tactics—posing as HR or IT personnel via calls and texts—to dupe employees into surrendering access or data.

What Data Was Breached?

The attackers obtained “commonly available business contact information”—specifically names, email addresses, and phone numbers. Though seemingly innocuous, this information can fuel future spear-phishing or impersonation campaigns.

Is Workday’s Platform Compromised?

Workday reassures that no customer tenant or sensitive internal data was accessed. The breach was confined to a disconnected CRM instance and did not affect employee or HR data.

Connection to Broader Salesforce-Related Attacks

This breach is part of a growing series of attacks targeting Salesforce CRM users. Cybersecurity analysts link these incidents to ShinyHunters (also referenced as UNC6040/6240), an extortion-focused group behind breaches at Google, Adidas, Qantas, Allianz Life, Chanel, Pandora, and others.

How Workday Responded

Following detection, Workday swiftly revoked access and implemented additional safeguards. They have also informed potentially affected parties and cautioned that official communications will never come via phone requesting passwords.

What’s at Risk Moving Forward?

While the immediate damage is limited, the exposed data could fuel further social engineering or credential harvesting attacks—especially targeting organizations within Workday’s network.

Recommended Actions

1. Remain Alert – Exercise heightened vigilance when receiving unsolicited calls or texts.

2. Verify Contacts – Legitimate correspondence from Workday or vendors will not request passwords via phone.

3. Harden CRM Security – Audit connected apps and enforce strict permissions, multi-factor authentication (MFA), and the principle of least privilege.

4. Train Staff – Educate employees on spotting voice phishing (vishing) and spoofing attacks.

Final Thoughts

The Workday breach underscores a troubling trend: attackers are shifting their focus to human vulnerabilities, exploiting trust rather than system weaknesses. With sensitive contact data circulating, organizations must bolster both their technological defenses and their people-focused safeguards.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.