{"id":14640,"date":"2025-08-19T11:59:36","date_gmt":"2025-08-19T11:59:36","guid":{"rendered":"https:\/\/newestek.com\/?p=14640"},"modified":"2025-08-19T11:59:36","modified_gmt":"2025-08-19T11:59:36","slug":"shinyhunters-strike-again-workday-breach-tied-to-salesforce-targeted-social-engineering-wave","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14640","title":{"rendered":"ShinyHunters strike again: Workday breach tied to Salesforce-targeted social engineering wave"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

The cyberattack on enterprise software giant Workday\u2019s CRM platform is likely part of a broader Salesforce-targeted social engineering campaign, according to experts.<\/p>\n

While the company did not name the affected platform in its public statement on Friday, researchers linked it to a Salesforce-targeted social engineering campaign <\/a>associated with the ShinyHunters threat group.<\/p>\n

\u201cThis is another reminder that in cybersecurity, breaches rarely happen in isolation; they ripple,\u201d said Chad Cragle, CISO at Deepwatch. \u201cAttackers don\u2019t stop at one vendor; they pivot across the ecosystem, looking for the next weak link. Think of it like a row of dominoes\u2013once one falls, the rest are in play.\u201d<\/p>\n

This disclosure comes just days after Google admitted it, too, was breached<\/a> through its Salesforce environment, part of the ongoing campaign that has also hit Pandora, Adidas, Qantas, Chanel, Tiffany & Co., Cisco, and other global brands.<\/p>\n

Workday is a leading supplier of cloud applications for finance, human resources (HR), and workforce management, with a global workforce exceeding 19000 employees serving over 11000 customers that include more than half of Fortune 500 companies.<\/p>\n

The breach has a limited scope, but broader warnings<\/h2>\n

The Workday breach was first identified on August 6, with Workday confirming that only \u201ccommonly available business contact information\u201d \u2014 such as names, email addresses, and phone numbers \u2014 was exposed.<\/p>\n

\u201cThere is no indication of access to customer tenants or the data within them,\u201d Workday said in a statement<\/a>. \u201cWe acted quickly to cut the access and have added extra safeguards to protect against similar incidents in the future.\u201d<\/p>\n

While refraining from naming the CRM software or the attackers, the company revealed that attackers used the familiar Vishing and phone-based pretexting to pose as internal staff and trick employees into granting access.<\/p>\n

\u201cThe Workday CRM incident shows the same playbook seen in the Salesforce-linked campaigns,\u201d noted J Stephen Kowski, Field CTO at SlashNext. \u201cSocial profiles are hijacked or spoofed, users are lured into legit-looking login flows, and stolen tokens or OAuth grants give deep access fast.\u201d<\/p>\n

Workday emphasized that it never asks for sensitive credentials over the phone and has reinforced training and detection systems to prevent recurrence.<\/p>\n

Social engineering jackpot for ShinyHunters<\/h2>\n

The Workday breach slots into a much larger pattern of attacks exploiting Salesforce instances<\/a> across multiple industries. Reports attribute the campaign to ShinyHunters, the notorious BreachForums admin, whom Google was tracking as UNC6040 when it first disclosed the campaign.<\/p>\n

Victims include Google itself, which said<\/a> attackers accessed a Salesforce environment in June, Pandora, which confirmed theft of customer contact data, and a long list of global enterprises such as Adidas, Quantas, Allianz Life, Louis Vuitton, Dior, Tiffany & Co., Chanel, Cisco, and Air France-KLM.<\/p>\n

\u201cThe rise in social engineering attacks by malicious actors should alarm any organization\u2019s security team,\u201d said Thomas Richards, Infrastructure Security Practice Director at Black Duck. \u201cThis also demonstrates that the attackers are out of other options and are resorting to more difficult and time-consuming methods to attack these organizations. Every piece of information they gain in these attacks can be used to conduct further campaigns and get closer to their goals.\u201d<\/p>\n

Boris Copilot, senior security engineer at Black Duck, echoed concerns over the incident possibly leading to further attacks. \u201cWorkday should remain cautious and be aware of potential scams, phishing attacks, and social engineering techniques,\u201d he said. \u201cEmployees should be aware of the procedures and understand that they will not be penalized for refusing to provide information or assist someone impersonating a superior, including even a CEO.\u201d<\/p>\n

ShinyHunters, a prolific data-theft actor active since 2020, has been linked to breaches at Microsoft\u2019s GitHub repositories, AT&T customer databases, and PowerSchool, among others, cementing their reputation as one of the most disruptive actors on the cybercrime scene. Notably, the French police arrested an alleged ShinyHunters operator in June, along with four other BreachForums administrators, including IntelBroker<\/a> (aka Kai West), the infamous cybercriminal now charged in the US with a string of high-impact hacks since 2022.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

The cyberattack on enterprise software giant Workday\u2019s CRM platform is likely part of a broader Salesforce-targeted social engineering campaign, according to experts. While the company did not name the affected platform in its public statement on Friday, researchers linked it to a Salesforce-targeted social engineering campaign associated with the ShinyHunters threat group. \u201cThis is another reminder that in cybersecurity, breaches rarely happen in isolation; they… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14640","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14640","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14640"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14640\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14640"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14640"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14640"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}