ZeroFox Intelligence Flash Report - Workday Breach Linked to Social Engineering Attack

ZeroFox Intelligence Flash Report - Workday Breach Linked to Social Engineering Attack

Product Serial: F-2025-08-20a

TLP:CLEAR

In this Flash report, ZeroFox researchers report on Workday's announcement of a data breach and its alleged similarities to the recent Salesforce attacks attributed to the threat group ShinyHunters.

Standing Intelligence Requirements

For the most up-to-date list of ZeroFox’s Intelligence Requirements, please visit:

https://cloud.zerofox.com/intelligence/advisories/14956

Link to Download

View the full report here

Key Findings

• On August 15, 2025, human resource (HR) management organization Workday announced that threat actors were able to access personally identifiable information (PII) from its unnamed third-party customer relationship management (CRM) platform via a social engineering campaign.
• Although Workday has not yet confirmed this, the attack reportedly resembles the tactics, techniques, and procedures (TTPs) seen in the recent Salesforce attacks first reported in June 2025.
• There is a roughly even chance that threat actors accessed a Workday-related database containing records of Salesforce CRM users, leading to the targeted campaign.
• Although the data exposed in this breach may not lend itself directly to extortion—given much of it is publicly accessible—it still presents significant downstream risks.