Workday has been targeted in a social engineering campaign with threat actors gaining access to information from a “third-party CRM platform”, the company has said.
The HR giant – which boasts 20,000 employees and 11,000 customers in more than 175 countries – revealed the attacks in a blog post on August 15. While the post did not name Salesforce directly, it comes amid a wave of data theft attacks against the cloud giant’s customers.
Chanel, Qantas, Adidas, and Victoria’s Secret are among those reported to be facing social engineering attacks. Google, which was also targeted, revealed in a blog post that the actor had claimed affiliation with the hacking group ShinyHunters (aka UNC6240).
Amid the spate of attacks, Salesforce has had to post an advisory statement explaining that their platform has not been compromised, and the issue is not due to “any known vulnerability in our technology”.
Note from SF Ben: The potential for compromised connected apps in Salesforce orgs is ongoing. We at Salesforce Ben strongly recommend that all admins and org owners should prioritize auditing the connected apps currently in use in their orgs. This includes identifying the origin of all connected apps, removing any unused or unknown apps, setting permissions for access to remaining apps, and removing the ability for any user to add connected apps without approval. We have published this article to help.
Workday Data Breach: What Happened?
Workday revealed in a statement that they had been hit in a recent social engineering campaign targeting many large organizations.
The company said that, in this campaign, threat actors contact employees by text or phone pretending to be from human resources or IT, with the goal of tricking employees into giving up account access or their personal information.
This will sound familiar to those of us who have been keeping up with the recent news of Salesforce-related data breaches at other large companies.
Workday said: “We recently identified that Workday had been targeted, and threat actors were able to access some information from our third-party CRM platform. There is no indication of access to customer tenants or the data within them. We acted quickly to cut the access and have added extra safeguards to protect against similar incidents in the future.
“The type of information the actor obtained was primarily commonly available business contact information, like names, email addresses, and phone numbers, potentially to further their social engineering scams.
“It’s important to remember that Workday will never contact anyone by phone to request a password or any other secure details. All official communications from Workday come through our trusted support channels.”
The company directed readers to their Security and Trust page.
In a separate notification sent to customers who may have been affected by the incident, Workday said that the breach was discovered on August 6, according to BleepingComputer.
Salesforce Ben has contacted Workday for comment.
Final Thoughts
It seems likely we haven’t seen the last of this kind of statement from a large business. Big names keep coming out, revealing they have been targeted, and, if we take quotes attributed to a ShinyHunters spokesperson in an interview with Databreaches.net, things are only going to get worse.
They said: “If trillionaires like Google can’t stop us, then billionaires are nothing. Law enforcement doesn’t have such funding or massive budgets either. They will forget about us in a month or two once we’re done. Then we’ll come back and launch another several-month to year-long sophisticated campaign. Next time it’s going to be much, much worse.”
The old adage, attributed to Robert Mueller, seems to be ringing ever more accurate by the day: “There are only two types of companies: Those that have been hacked and those that will be hacked.”
