Human Resources Firm Workday Discloses Data Breach After Social Engineering Attack

Human resources firm Workday has disclosed a data breach after attackers compromised a third-party customer relationship management (CRM) platform through social engineering. The company, which provides cloud-based software solutions for human capital management, financial management, and planning, has stated that the breach occurred when threat actors posed as HR or IT professionals via text or phone to trick employees into revealing account credentials or personal data.

Workday, which serves over 11,000 organizations, including more than 60% of Fortune 500 firms, took swift action to contain the breach and has added extra safeguards to protect against similar incidents in the future. According to a statement published by the company, there is no indication that threat actors accessed customer tenants or data within them.

The compromised data primarily consisted of commonly available business contact information, including names, email addresses, and phone numbers. Workday warned that exposed data may potentially be used by attackers to further their social engineering scams.

"It's essential to remember that Workday will never contact anyone by phone to request a password or any other secure details," the statement concluded. "All official communications from Workday come through our trusted support channels."

According to BleepingComputer, Workday discovered the breach on August 6, and it is unclear if the breach is linked to a ShinyHunters campaign targeting Salesforce CRM via social engineering and voice phishing.

The group, tied to major past breaches, began this campaign earlier in 2025. The victims of the campaign include Adidas, Qantas, Allianz, and Google. While the exact nature of the breach is still unclear, it serves as a reminder for organizations to remain vigilant against social engineering attacks.

Key Facts About the Breach

  • Workday discovered the breach on August 6, 2023.
  • The breach was caused by a social engineering attack on a third-party CRM platform.
  • The compromised data consisted of business contact information, including names, email addresses, and phone numbers.
  • There is no indication that customer tenants or data within them were accessed.
  • Workday added extra safeguards to protect against similar incidents in the future.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon for more updates on this story and other cybersecurity news.