On August 15, HR and finance software provider Workday reported a data breach stemming from a compromise of a third-party customer relationship management (CRM) system—widely reported to be Salesforce. The breach, attributed to the hacker group “Shiny Hunters,” exposed contact details such as names, email addresses, and phone numbers.

The incident appears to be part of a broader social engineering campaign where attackers trick employees into authorizing malicious OAuth applications, giving them access to CRM systems.

Workday emphasized that there was no indication that the breach involved access to customer tenants or the data stored within them—at least based on what they know so far. However, as with many cyber incidents, it’s possible that the full extent may take some time to emerge. Transparency around such updates is key, and some eyebrows were raised when Workday’s initial blog post on the breach was temporarily de-indexed from search engines.

What should users and businesses do?

• Stay Updated: Keep an eye on Workday’s blog or official channels for any follow-up announcements.
• Review Contracts: Business customers should review the data breach notification clauses in their contracts and consider reaching out to Workday for clarity on what systems or data may have been affected.
• Be Vigilant: Exposed contact details may be used in phishing campaigns. Stay alert to suspicious emails or phone calls, especially those that seem to come from official sources.

This is another important reminder of how interconnected systems and third-party access can create vulnerabilities—and why awareness and proactive communication matter.

Have questions or need support assessing your risk exposure?

Reach out to our team—we’re here to help.