Workday Confirms Social Engineering Breach Targeting CRM Platform

Workday has disclosed that a recent social engineering campaign compromised a third-party Customer Relationship Management (CRM) platform it uses, exposing certain customer contact details but not its core systems or HR data.

The S&P 500-listed enterprise software provider, which reported more than $8.4 billion in revenue last year, said attackers gained access to “commonly available business contact information” such as names, email addresses, and phone numbers. While the company did not name the CRM vendor, it emphasized there is “no indication of access to customer tenants or the data within them.”

In a statement, Workday said it acted quickly to cut off the intrusion and has since implemented additional safeguards to prevent similar incidents. The stolen contact information, however, could be leveraged in further social engineering attempts, the company warned.

A Wider Pattern of CRM-Focused Attacks

Workday is the latest in a growing list of organizations to report breaches linked to CRM-targeted social engineering. Allianz Life, Qantas, and Hawaiian Airlines have all faced similar compromises in recent months. Many of these attacks have been tied to threat actors impersonating IT support personnel to convince employees to hand over credentials or grant OAuth permissions.

Security advisories from the past year have repeatedly pointed to Salesforce environments as a prime target for such schemes. In March, Salesforce warned customers about the uptick in attacks and reminded them that, while the platform has enterprise-grade protections, user-side defenses remain a critical piece of the security chain.

Expert Warning: Harden OAuth and Watch the Logs

Tim Peck, Senior Threat Researcher at Securonix, said the breach underscores the need for proactive controls beyond employee training.

“Security teams should assume that CRM/OAuth social engineering paths exist and harden accordingly,” Peck explained. “Some of these paths include disabling end user ‘self consent’ and require admin review (or whitelisted) for new ‘Connected Apps’ or OAuth scopes that could be considered a high risk. Also, enforcing phishing resistant MFA and call back verification for any IT/HR requests and at the same time, feed these requests (CRM/IdP logs) into your SIEM. This can allow for proactive threat hunt opportunities for spikes in API calls/exports, new OAuth grants, strange geos/devices and sudden permission changes, especially in Salesforce Event Monitoring and IdP audit logs.”

He stressed that “defense in depth” is essential, noting that once a malicious OAuth grant is approved, attackers can exfiltrate data via APIs without ever touching user endpoints. In those scenarios, automated server-side pulls cannot be stopped by user awareness alone, making detection and enforcement policies critical.

The Bigger Risk

While the immediate fallout appears limited to business contact information, experts warn that such details can be weaponized to mount more convincing phishing or pretexting campaigns. For companies relying heavily on CRMs, the incident serves as a reminder that the most valuable data is not always what attackers target first — sometimes it’s the foothold that matters.