Overview

• Workday says attackers obtained primarily business contact details such as names, email addresses, and phone numbers from a third-party CRM platform.
• The company discovered the unauthorized access on August 6, cut off the connection, and implemented additional safeguards.
• Workday cites a larger social-engineering campaign that targets employees by phone or text while impersonating HR or IT.
• Reporting links similar Salesforce-focused intrusions to groups including ShinyHunters and Scattered Spider, often using malicious OAuth app authorizations and extortion tactics.
• Workday has notified potentially affected customers and warns the stolen contact data could fuel further phishing, as outlets also noted the disclosure page initially carried a noindex tag.