Workday, the US-listed human resources software company, has revealed it was targeted in a cyberattack after hackers infiltrated a third-party customer relationship management (CRM) system through a social engineering campaign.
The California-based firm said no customer environments or sensitive internal systems were accessed, and that compromised data was limited to business contact details, such as names, email addresses and phone numbers. However, it warned that the information could be used in follow-up phishing or impersonation attacks.
“There is no indication of access to customer tenants or the data within them,” the company said in a statement. “We acted quickly to cut the access and have added extra safeguards to protect against similar incidents in the future.”
Workday, which serves more than 11,000 enterprise customers and employs over 19,000 people globally, has been linked to a broader cyber campaign targeting organisations using Salesforce’s CRM platform.
The company urged users to be vigilant and reiterated that it would never request passwords or sensitive details by phone. “All official communications from Workday come through our trusted support channels,” it said.
The disclosure adds to growing concerns about the security risks posed by third-party platforms — particularly as social engineering tactics become more sophisticated and widespread.
According to reports, the attacks are associated with the ShinyHunters extortion group, which has also breached companies including Adidas, Louis Vuitton, Dior, Chanel and Google.
Security experts said the incident underscores the growing threat posed by social engineering. Kevin Marriott, senior manager of cyber and head of SecOps at Immersive, noted that CRM platforms are prime targets.
“CRM tooling is often a key target for threat actors as they typically store limited, but valuable information that threat actors can either use themselves or sell on, with databases full of information that is useful such as email addresses and other personal information,” Marriott said.
“If this attack is indeed linked to the broader campaign targeting Salesforce instances, it highlights how threat actors such as ShinyHunters are focusing their efforts on SaaS platforms that hold valuable customer data from a variety of organisations.”
Javvad Malik, lead security awareness advocate at KnowBe4, warned that social engineering remains one of the hardest attack vectors to defend against.
“Social engineering continues to be the most common way organisations get breached for this very reason that technical controls have their limitations,” he said.
“We currently don’t have effective ways for technology to screen and block phone calls in the same way that we can reduce some of the risk with emails. So, it’s important to not only educate people on these risks, but to empower them to say no to any suspicious requests and follow a separate, more secure process.”
