Workday has confirmed it was one of several major firms targeted in a recent social engineering campaign, resulting in unauthorized access to limited contact data stored in a third-party customer relationship management (CRM) platform.
While the company stresses that no customer tenant data or sensitive HR and financial records were affected, the incident bears striking similarities to the Salesforce-related attacks disclosed earlier this month.
In a security update published late last week, Workday explained that attackers contacted employees by phone and text while posing as HR or IT staff. Their aim was to trick employees into sharing account credentials or personal information. The attackers successfully accessed names, emails, and phone numbers from Workday’s external CRM environment, data commonly exploited to fuel follow-up phishing or impersonation schemes. Workday has not identified the vendor involved, but Salesforce is the dominant CRM provider across Fortune 500 firms and has been at the center of a major campaign tracked as UNC6040.
Workday is a major cloud provider of HR, finance, and planning applications, serving more than 10,000 organizations worldwide. Its clients include multinational corporations and government institutions, making the company a high-value target for financially motivated cybercriminals. Although the breach was contained to a CRM system separate from Workday’s production environment, the timing and attack method align with a larger trend of vishing-driven data theft aimed at enterprise CRM platforms.
Google’s Threat Intelligence Group (GTIG) recently revealed that UNC6040 actors had compromised Salesforce instances at multiple organizations, including one at Google itself. Attackers gained access by impersonating IT staff over the phone and convincing employees to authorize malicious OAuth-connected apps disguised as legitimate Salesforce utilities. Once authorized, these apps enabled bulk data exfiltration using modified versions of Salesforce’s Data Loader tool and custom Python scripts. A related cluster, UNC6240, has since launched extortion attempts under the “ShinyHunters” name, threatening to leak stolen CRM data unless victims pay.
Given these parallels, it is plausible that the Workday incident is another case within the broader UNC6040 campaign. The attackers’ focus on contact data, reliance on impersonation, and choice of CRM as the entry point mirror the techniques documented in the Salesforce breaches. If confirmed, Workday’s disclosure would add to the growing list of high-profile firms caught in the same coordinated operation, including Allianz Life, Chanel, KML/Air France, Pandora, and Cisco.
Workday has implemented new safeguards to prevent repeat intrusions and emphasized that it will never ask employees or customers for passwords over the phone. The company advises users to treat any unexpected communication requesting sensitive information as suspicious and to confirm authenticity via official support channels.
Leave a Reply