HR tech giant Workday has joined a growing list of high-profile companies caught in the crosshairs of an ongoing social engineering campaign targeting Salesforce databases. In a blog post published late Friday, the company disclosed that attackers had gained access to a third-party customer relationship management platform and stolen contact information including names, email addresses, and phone numbers.
The breach, discovered on August 6, affects one of the world’s largest human resources technology providers, serving over 11,000 organizations and 70 million users worldwide. What makes this incident particularly concerning isn’t just the scale of Workday’s reach, but how it fits into a much larger pattern of attacks that security researchers have linked to the notorious ShinyHunters cybercrime group.
The Attack: Social Engineering at Scale
The ShinyHunters group uses a sophisticated but surprisingly straightforward approach to breach Salesforce instances. The attackers begin by calling employees, often targeting English-speaking branches of multinational companies, and posing as corporate IT staff requesting urgent troubleshooting assistance.
During these calls, attackers direct victims to Salesforce’s Connected Apps authorization page and provide an eight-digit connection code. They convince employees to authorize what appears to be a legitimate Salesforce application called “Data Loader” – a real client application that allows users to import, export, update, or delete data within Salesforce environments.
However, the attackers use a modified version of this tool that gives them broad access to download customer databases. The application supports OAuth and integrates directly via Salesforce’s “connected apps” functionality, making the authorization request look completely legitimate to unsuspecting employees.
Once authorized, the attackers can exfiltrate massive amounts of data before organizations realize what’s happened. Security researchers note that the group uses Mullvad VPN and TOR IPs to obfuscate their data theft activities.
For Workday specifically, the company stated there’s “no indication of access to customer tenants or the data within them,” which corporate customers typically use to store the bulk of their human resources files and employees’ personal data. However, the stolen contact information could easily be weaponized for future attacks.
Part of a Massive Campaign
The Workday breach isn’t an isolated incident. It’s part of what security researchers are calling one of the most significant social engineering campaigns of 2025. Victims included Adidas, Cartier, Google, Louis Vuitton, Dior, Chanel, Tiffany & Co., Qantas Airways, Air France–KLM, Allianz Life, Cisco, Pandora, and others.
Google revealed that one of its corporate Salesforce instances was targeted by threat actors. The attack appears to be part of a campaign that has hit several major companies. The tech giant attributed the activity to a threat group they track as UNC6040, which has clear links to the ShinyHunters collective.
When Humans Become the Weak Link
This campaign once again spotlights a serious challenge in cybersecurity: humans are the weakest link. No matter how sophisticated your technical defenses are, if an attacker can convince an employee to authorize access, those protections become irrelevant.
The attackers didn’t exploit a software vulnerability or break through firewalls, they just called someone up and convinced them to grant access, turning low-tech social engineering into high-impact results.
This approach is particularly effective because it exploits the helpful nature of employees who genuinely want to assist what they believe are legitimate IT requests. The attackers often create a sense of urgency, claiming there’s a critical system issue that needs immediate attention.
Why Third-Party Platforms Complicate Security
One of the most challenging aspects of the Workday breach is that it involved a third-party CRM platform (widely reported to be Salesforce, though Workday hasn’t confirmed this). This creates a security blind spot that many organizations struggle to address.
When you’re using multiple cloud platforms and services, each one represents a potential entry point for attackers. Your security is only as strong as the weakest link in your technology stack. Even if your primary systems are locked down tight, a breach in a connected third-party service can provide attackers with valuable data and a foothold for future attacks.
This interconnectedness means that access management becomes exponentially more complex. You’re managing who has access to what within your own systems, plus how those systems integrate with external platforms and what permissions those integrations require.
What This Means for Your Organization
The ShinyHunters campaign targeting Salesforce instances should be a wake-up call for every organization using cloud-based business applications.
Social engineering awareness is critical. Your employees need to understand that attackers are specifically targeting them with sophisticated phone-based attacks. Regular training on recognizing and reporting suspicious contact attempts is essential.
Third-party integrations need security oversight. Every cloud service you connect to your business systems represents a potential attack vector. You need visibility into what data these integrations can access and who has the ability to authorize new connections.
Incident response plans need to account for third-party breaches. When a service provider like Workday gets breached, you need procedures in place to assess the potential impact on your organization and take appropriate protective measures.
Moving Forward
The Workday breach is a reminder that cybersecurity involves technology, people, processes, and the complex web of services that modern businesses depend on. Organizations need to think holistically about security, ensuring that employee training and incident response capabilities work together to create a robust defense against these evolving threats.
The ShinyHunters campaign won’t be the last time we see attackers successfully exploit the human element to bypass technical security controls. Every organization will face similar attacks. The real question is whether you’ll be prepared when they come.
