Workday Warns of Phishing Risks After Third-Party CRM Breach

Overview

On August 19, 2025, Workday disclosed a security incident stemming from the breach of a third-party customer relationship management (CRM) platform (reportedly Salesforce).

While Workday's core systems and customer tenants were not affected, attackers leveraged social engineering and OAuth abuse to gain unauthorized CRM access, highlighting the growing risks of SaaS supply-chain dependencies.

---

Incident Overview

Field	Details
Breach Discovered	August 6, 2025
Public Disclosure	August 15, 2025
Attack Type	Phishing (voice & text), Impersonation, OAuth exploitation
Impacted Systems	Third-party CRM (Salesforce reported)
Workday Systems	Core systems and tenants not impacted

---

How the Breach Happened

The incident followed a phishing-to-OAuth exploitation chain:

1. Initial Access – Workday staff targeted by voice phishing (vishing) and SMS phishing (smishing) campaigns.
2. Impersonation – Attackers posed as HR/IT staff to lure employees into malicious actions.
3. Credential Harvesting – Victims tricked into authorizing malicious OAuth apps.
4. CRM Exploitation – OAuth integrations enabled unauthorized access to the CRM platform.
5. Data Exfiltration – Contact data (names, emails, phone numbers) was stolen for follow-on phishing and extortion.

Tactics closely resembled those used in the ShinyHunters campaign against major CRM/SaaS platforms.

---

Data Exposed

Data compromised in this breach included business contact information:

• Names
• Email addresses
• Phone numbers

➡️ While not highly sensitive individually, this information enables escalated phishing, impersonation, and social engineering campaigns.

---

Threat Actor Profile

Attribute	Details
Suspected Group	ShinyHunters
Motivation	Data theft, resale, extortion
Techniques Used	Vishing, Smishing, Malicious OAuth integrations
Linked Campaigns	Adidas, Qantas, Allianz Life, Louis Vuitton, Dior, Chanel, Google
Historical Activity	Breaches at Snowflake, AT&T, PowerSchool
Threat Level	High – persistent SaaS/CRM targeting

---

Lessons Learned

• Third-Party Weakness – Even when vendor systems are secure, integrated SaaS tools like CRMs can be exploited.
• "Low-Risk" Data Value – Emails and phone numbers fuel secondary phishing and impersonation attacks.
• OAuth Exploitation – Malicious OAuth apps represent a growing SaaS exploitation vector.
• Supply-Chain Vigilance – Enterprises must evaluate SaaS resilience as carefully as core systems.

---

Recommendations

Workday recommends proactive defensive measures for customers and partners:

1. Employee Awareness

• Run phishing + vishing simulation training.
• Reinforce reporting of suspicious calls/SMS promptly.

2. Stronger Authentication & Access Control

• Enforce adaptive MFA across CRM/SaaS accounts.
• Apply least-privilege principles to CRM access.
• Regularly audit and revoke dormant accounts.

3. OAuth Governance

• Require formal approval for third-party app integrations into SaaS/CRMs.
• Continuously monitor for malicious or unverified OAuth apps.

4. Vendor & SaaS Risk Management

• Run security assessments for SaaS providers.
• Confirm resilience to OAuth/social engineering.
• Limit data stored in CRMs (data minimization).

5. Incident Response Improvements

• Expand IR playbooks to include OAuth-integrated app exploits and CRM-targeted phishing.
• Monitor login and token usage for anomalies.

---

Conclusion

The Workday CRM breach underscores how attackers exploit supply-chain SaaS platforms, targeting OAuth integrations and CRM logins through phishing campaigns.

While Workday's main systems were not breached, the exposure of contact data enables large-scale impersonation and phishing—potentially more damaging over time than the initial incident.

Key Takeaway:
Organizations must harden SaaS integrations, govern OAuth apps strictly, and train employees against phishing and vishing vectors. Supply-chain SaaS dependencies require the same rigor of security monitoring and incident response as core enterprise systems.