The cyberattack on enterprise software giant Workday’s CRM platform is likely part of a broader Salesforce-targeted social engineering campaign, according to experts.
While the company did not name the affected platform in its public statement on Friday, researchers linked it to a Salesforce-targeted social engineering campaign associated with the ShinyHunters threat group.
“This is another reminder that in cybersecurity, breaches rarely happen in isolation; they ripple,” said Chad Cragle, CISO at Deepwatch. “Attackers don’t stop at one vendor; they pivot across the ecosystem, looking for the next weak link. Think of it like a row of dominoes–once one falls, the rest are in play.”
This disclosure comes just days after Google admitted it, too, was breached through its Salesforce environment, part of the ongoing campaign that has also hit Pandora, Adidas, Qantas, Chanel, Tiffany & Co., Cisco, and other global brands.
Workday is a leading supplier of cloud applications for finance, human resources (HR), and workforce management, with a global workforce exceeding 19000 employees serving over 11000 customers that include more than half of Fortune 500 companies.
The breach has a limited scope, but broader warnings
The Workday breach was first identified on August 6, with Workday confirming that only “commonly available business contact information” — such as names, email addresses, and phone numbers — was exposed.
“There is no indication of access to customer tenants or the data within them,” Workday said in a statement. “We acted quickly to cut the access and have added extra safeguards to protect against similar incidents in the future.”
While refraining from naming the CRM software or the attackers, the company revealed that attackers used the familiar Vishing and phone-based pretexting to pose as internal staff and trick employees into granting access.
“The Workday CRM incident shows the same playbook seen in the Salesforce-linked campaigns,” noted J Stephen Kowski, Field CTO at SlashNext. “Social profiles are hijacked or spoofed, users are lured into legit-looking login flows, and stolen tokens or OAuth grants give deep access fast.”
Workday emphasized that it never asks for sensitive credentials over the phone and has reinforced training and detection systems to prevent recurrence.
Social engineering jackpot for ShinyHunters
The Workday breach slots into a much larger pattern of attacks exploiting Salesforce instances across multiple industries. Reports attribute the campaign to ShinyHunters, the notorious BreachForums admin, whom Google was tracking as UNC6040 when it first disclosed the campaign.
Victims include Google itself, which said attackers accessed a Salesforce environment in June, Pandora, which confirmed theft of customer contact data, and a long list of global enterprises such as Adidas, Quantas, Allianz Life, Louis Vuitton, Dior, Tiffany & Co., Chanel, Cisco, and Air France-KLM.
“The rise in social engineering attacks by malicious actors should alarm any organization’s security team,” said Thomas Richards, Infrastructure Security Practice Director at Black Duck. “This also demonstrates that the attackers are out of other options and are resorting to more difficult and time-consuming methods to attack these organizations. Every piece of information they gain in these attacks can be used to conduct further campaigns and get closer to their goals.”
Boris Copilot, senior security engineer at Black Duck, echoed concerns over the incident possibly leading to further attacks. “Workday should remain cautious and be aware of potential scams, phishing attacks, and social engineering techniques,” he said. “Employees should be aware of the procedures and understand that they will not be penalized for refusing to provide information or assist someone impersonating a superior, including even a CEO.”
ShinyHunters, a prolific data-theft actor active since 2020, has been linked to breaches at Microsoft’s GitHub repositories, AT&T customer databases, and PowerSchool, among others, cementing their reputation as one of the most disruptive actors on the cybercrime scene. Notably, the French police arrested an alleged ShinyHunters operator in June, along with four other BreachForums administrators, including IntelBroker (aka Kai West), the infamous cybercriminal now charged in the US with a string of high-impact hacks since 2022.
No Responses