In August 2025, HR software giant Workday confirmed a data breach linked to the same wave of social engineering attacks that recently hit several Salesforce customers worldwide. While the exposed data may not appear highly sensitive at first glance, the incident highlights how cybercriminals are shifting tactics—from technical exploits to human manipulation.

The Workday Incident

The breach was discovered on August 6 and publicly disclosed two weeks later. Attackers posed as IT or HR staff over phone calls and text messages, convincing employees to grant access to a third‑party CRM platform connected to Workday. That platform is widely believed to have been Salesforce, which has been at the center of a broader campaign in recent months.

The attackers stole basic business contact details—names, phone numbers, and email addresses. Importantly, Workday confirmed that no customer tenant data or internal HR systems were impacted. Still, even “basic” information is valuable in the wrong hands, serving as the fuel for more targeted phishing, impersonation, and fraud attempts.

The Bigger Picture: Salesforce Campaign

Workday is not alone. The breach forms part of a coordinated campaign against Salesforce users led by the group known as ShinyHunters. Their playbook avoids complex malware or zero‑day exploits. Instead, they trick employees into approving malicious apps that mimic legitimate Salesforce tools. Once inside, they quietly export valuable customer data.

Other major companies have confirmed similar breaches, including Google, Adidas, Dior, Louis Vuitton, Cisco, Chanel, and Qantas. The pattern is clear: the attackers are exploiting trust in cloud platforms and the human tendency to act quickly under pressure.

Why This Matters

The stolen information may not include financial data or Social Security numbers, but it opens doors to further compromise. With accurate employee and customer contact lists, attackers can craft convincing phishing emails or phone calls that are far harder to detect. Social engineering thrives on credibility, and breaches like this provide exactly that.

More broadly, the Workday incident underscores a growing reality: modern cyber threats often bypass technical defenses by targeting people instead. In many cases, the weakest link is not the firewall or the software, but an employee caught off guard.

Quick Summary

Moving Forward

Organizations relying on Salesforce—or any CRM platform—should take this as a wake‑up call. Technical safeguards remain essential, but they must be paired with ongoing employee awareness. Multi‑factor authentication, tighter controls on connected applications, and a “least privilege” approach to access are critical steps.

But just as important is culture. Employees should feel empowered to question unusual requests, whether that’s a text from “IT” or a new app integration that feels rushed. Training and awareness programs can make the difference between a blocked attack and a damaging breach.

Conclusion

The Workday breach shows how quickly trust can be turned against us. Even when the exposed data seems limited, the ripple effects can be significant, creating opportunities for impersonation, fraud, and further attacks.

As companies continue to depend on platforms like Salesforce to manage customer relationships, they must recognize that attackers are adapting too. The next breach may not come from a sophisticated exploit but from a well‑timed phone call.