USA 
United Kingdom
HR giant Workday has reported a data breach after attackers gained access to its third-party customer relationship management (CRM) system.
It is potentially the latest firm to be targeted in a string of social engineering and phishing attacks by an extortion group known as ‘ShinyHunters,’ which has seen similar attacks made against firms including Adidas and Google.
Having identified the breach earlier in August, Workday has notified customers and warned them that some business information has been exposed.
“There is no indication of access to customer tenants or the data within them,” the notice said, but warned that the exposed business contact information could potentially be used in further attacks against the customers.
Workday confirms data breach, issues customer guidance
A report from BleepingComputer said the breach came as part of the string of ShinyHunters Salesforce CRM attacks – although Workday has not officially confirmed this point.
During such attacks – believed to have started earlier in 2025 – employees are tricked by threat actors into connecting a malicious OAuth app with their Salesforce database.
The link is then used to download and steal customer data, including email addresses, which is subsequently used for attempted extortion and phishing.
ShinyHunters has claimed responsibility for several breaches this year, demanding ransoms to stop the data from being leaked.
Workday, whose HR platform is used by over 11,000 employers, including nearly two-thirds of Fortune 500 firms, publicly confirmed the breach in a blog post on Friday last week.
The blog post said it had learned it was hit by a “recent social engineering campaign targeting many large organizations,” during which employees were contacted by text or phone by someone posing as a colleague from HR or IT.
“Their goal is to trick employees into giving up account access or their personal information,” the post explained.
“Threat actors were able to access some information from our third-party CRM platform,” it said, emphasizing that there is “no indication of access to customer tenants or the data within them.”
‘Extra safeguards’ - what happens next after Workday breach?
Workday said the threat actor obtained was mainly “commonly available” business contact information, including names, email addresses, and phone numbers.
“We acted quickly to cut the access and have added extra safeguards to protect against similar incidents in the future,” the HR platform provider said.
Workday issued clear guidance for customers: “It’s important to remember that Workday will never contact anyone by phone to request a password or any other secure details. All official communications from Workday come through our trusted support channels.”
Customers were first notified of the breach through a notification on August 6, Bleeping Computer reported.
In recent years, ShinyHunters has made demands for payments from companies including Adidas, AT&T, Chanel, Dior, and Google.
Read Workday’s full memo to customers
At Workday, trust and transparency guide everything we do. We want to let you know about a recent social engineering campaign targeting many large organizations, including Workday.
In this campaign, threat actors contact employees by text or phone pretending to be from human resources or IT. Their goal is to trick employees into giving up account access or their personal information.
We recently identified that Workday had been targeted and threat actors were able to access some information from our third-party CRM platform. There is no indication of access to customer tenants or the data within them. We acted quickly to cut the access and have added extra safeguards to protect against similar incidents in the future.
The type of information the actor obtained was primarily commonly available business contact information, like names, email addresses, and phone numbers, potentially to further their social engineering scams.
It’s important to remember that Workday will never contact anyone by phone to request a password or any other secure details. All official communications from Workday come through our trusted support channels.
To learn more about what Workday does to secure our data and that of our customers, please visit our Security and Trust page.
