Workday, a notable human resources company, suffered a cyber attack
Workday Data Breach Tied to ShinyHunters and Salesforce Hacking Group
Workday, a leading human resources technology company, has announced a data breach that occurred on August 6, 2025. The breach is part of a larger wave of cyberattacks linked to the ShinyHunters group, targeting Salesforce-connected applications via sophisticated social engineering.
The attacks on Salesforce Customer Relationship Management (CRM) systems have been a concern for many companies, including Adidas, Google, Qantas Airways, Cisco, and Workday itself.
In the Workday breach, some user information, including names, email addresses, and phone numbers, was compromised. However, there is no indication of access to customer tenants or the data within the affected databases.
The ShinyHunters group is believed to be responsible for the Workday data breach. This hacking group has reportedly done most of its damage via social engineering and voice phishing attacks.
The timeline of events suggests that the ShinyHunters launched a campaign targeting Salesforce CRM platforms at numerous major companies as early as June-July 2025. Workday discovered the breach on August 6, and public disclosures were made from August 13-22, 2025.
The breach ties into an ongoing ShinyHunters campaign exploiting Salesforce CRM environments across sectors. Attackers used voice phishing to impersonate IT or HR staff, calling employees and convincing them to authorize a trojanized version of Salesforce’s Data Loader app via OAuth, granting attackers broad database access.
The OAuth-based "connected apps" authorization bypassed multi-factor authentication, allowing extraction of large CRM datasets. The same tactics and threat actor group (ShinyHunters, also tracked as UNC6040/UNC6240) targeted high-profile victims such as Allianz Life, Google, Qantas, Adidas, and luxury brands like Louis Vuitton, Chanel, and Dior.
In the case of Workday, contacts from a third-party CRM platform were stolen, but no access to sensitive HR or customer tenant data was gained. Other victims, such as Allianz Life and luxury retailers, suffered similar Salesforce CRM data thefts via ShinyHunters' social engineering.
This campaign is one of the largest coordinated social engineering attacks exploiting Salesforce platforms in 2025 and demonstrates the evolving sophistication of ShinyHunters' tactics incorporating OAuth abuse, vishing, and multi-factor authentication bypass.
The data breach affected over 11,000 corporations and 70 million users worldwide. ShinyHunters has primarily used social engineering and voice phishing attacks in its attacks. The group has been a prolific threat in recent years, having previously stolen 73 million customer records from AT&T and compromised the information of millions of students and teachers in the United States and Canada through an attack on PowerSchool.
Workday's blog post announcing the breach has a "noindex tag" in the source code, which signals to search engine crawlers not to index the page. This suggests that Workday is taking steps to limit the spread of information about the breach.
This news serves as a reminder for all companies to be vigilant against social engineering attacks and to take appropriate measures to secure their Salesforce-connected applications.
- Gizmodo reported on the Workday data breach, linked to the ShinyHunters and Salesforce hacking group, which exposed some user information, such as names, email addresses, and phone numbers of over 11,000 corporations and 70 million users worldwide.
- The Future of tech and cybersecurity is a concern for many companies following the Workday data breach, as the ShinyHunters exploited Salesforce CRM environments through social engineering and voice phishing attacks, bypassing multi-factor authentication and stealing large datasets.
- As financial institutions and tech companies face increasing threats from cybercriminals like ShinyHunters, it's essential for companies to prioritize technology solutions that strengthen their security against such attacks, protecting the data and future of their businesses.
