In The Event Of
Get started free
W

Workday Salesforce CRM Breach 2025:
What You Need to Know

In August 2025, Workday disclosed that its internal Salesforce CRM was accessed by the same ShinyHunters / Scattered Spider campaign that hit Qantas and Allianz Life. Business-contact data was exposed. Crucially, customer HR product data was not affected.

Disclosed:6 August 2025
Records affected:Undisclosed
Risk level:Medium

Your personal risk from this breach

Sign in or create a free account to see your personalised risk score.

View My Risk

What Happened

How the Workday Salesforce CRM Breach Unfolded

July 2025

Workday became a target of the ongoing ShinyHunters / Scattered Spider vishing campaign that had already compromised Salesforce tenants at Qantas, Allianz Life and others. Attackers placed voice-phishing calls to Workday helpdesk staff impersonating authorised employees.

Early August 2025

Attackers successfully convinced a Workday helpdesk agent to reset MFA on a Salesforce administrator account, then exfiltrated business contact data from Workday's Salesforce CRM.

6 August 2025

Workday publicly disclosed the incident, explicitly clarifying that customer HR product data was not affected. The breach was limited to Workday's own sales and marketing CRM, which contains business contact information for prospects and customer relationships.

Workday's disclosure emphasised: "Customer tenants and the data stored within them (payroll, HR records, performance data) were not impacted. The affected system is our internal sales CRM."

August 2025 onwards

Workday began notifying business contacts whose data may have been in the affected CRM. Workday hardened helpdesk identity-verification procedures and engaged external forensics specialists.

Source: CSO Online (Aug 2025)

What Was Exposed

Business Contact Data Leaked in the Breach

The affected Salesforce CRM held business contact information that Workday uses for sales and marketing, not the HR product data that customers store in their Workday tenants. The dataset is principally useful to attackers for B2B spear-phishing.

Data TypeRisk LevelWho Was Affected
Full nameMediumBusiness contacts at Workday customer and prospect companies
Business email addressHighBusiness contacts in the Workday Salesforce CRM
Business phone numberMediumSubset of business contacts
Job title and employerLowBusiness contacts in the Workday Salesforce CRM
Sales / customer-relationship metadataLowDeal stage, account history, plan information

Risk levels based on the OAIC: What is personal information? and OAIC Australian Privacy Principles. Business-contact data is rated lower than direct personal identifiers because it is publicly correlated with role and employer; however, it remains an effective ingredient for targeted spear-phishing of named buyers and influencers.

✅ Confirmed NOT Exposed

Workday has confirmed that customer HR product data (employee records, payroll, benefits, performance reviews, and tenant administrator credentials) were not in scope. The affected system is Workday's internal Salesforce CRM, which is logically and physically separate from the customer-facing Workday HR platform.

Company Response

What Workday Did

“We have notified affected business contacts and the relevant authorities. Customer tenants (including all HR product data) were not impacted. We have taken steps to further harden our helpdesk identity-verification procedures and are working with external specialists.”
Workday statement, August 2025

Actions Taken by Workday

  • Isolated the affected Salesforce CRM and rotated administrator credentials
  • Engaged external cyber forensics specialists to confirm scope
  • Notified regulators in the US, EU and Australia under applicable breach-notification rules
  • Began emailing affected business contacts with details of the specific fields exposed
  • Hardened helpdesk identity-verification procedures including mandatory out-of-band callback for MFA-reset requests
  • Reviewed access controls across all SaaS administrative accounts and accelerated FIDO2 hardware-key rollout for privileged users
Workday Trust CenterOAIC: Notifiable Data Breaches

What Now?

Steps You Can Take After the Workday Salesforce Breach

The biggest risk from this breach is B2B spear-phishing. The combination of business email job title employer and CRM deal context gives scammers everything they need to impersonate Workday account managers or your colleagues with convincing detail.

Workplace and Business SaaS Accounts

Your business contact details were exposed. Other SaaS B2B vendors may hold similar profiles of you.

Review your Workday tenant administrator hygiene

~15 min
If your company is a Workday customer, audit the list of tenant administrators, require FIDO2 hardware keys for admin access, and enable real-time alerting on MFA-reset events. The Workday HR product was not affected by this breach, but customer-tenant accounts remain a high-value target for follow-on attacks using the leaked B2B context.
Workday Trust Center

Review other B2B SaaS accounts

The same B2B contact data sits in Salesforce, HubSpot, Pipedrive, Outreach, Gong and other vendor CRMs across the industry. Where you can, audit recent access to your contact record on each platform, and ensure your sales / customer-success contacts at major vendors have not been targeted with social engineering.

Business Email and Digital Identity

Business email is the front line for spear-phishing. Hardening it is the single biggest payoff.

Strengthen business-email security

~5 min
Update the password on your work email account and enable MFA (ideally a hardware key rather than SMS). Check email forwarding rules and connected-app permissions, which attackers sometimes plant to silently intercept future communications. Where your IT team allows it, enable phishing-aware safety prompts.

Treat unsolicited Workday-themed messages with suspicion

Expect emails claiming to be from Workday support, account managers or implementation partners asking you to verify credentials, sign documents or join calls. Always verify via a known internal channel or your established Workday account manager; never click through unsolicited links.

Vishing-Resistance Hygiene

The attack pattern that compromised Workday is targeting helpdesks everywhere. The same hygiene protects your organisation.

Train helpdesks to verify callers out-of-band

The Workday breach (like Qantas, Allianz Life and many others in 2025) started with a phone call to a helpdesk agent. Helpdesks should be trained to never reset MFA on a single phone call, no matter how legitimate the caller sounds. A required callback to a known internal number adds a small amount of friction that defeats the entire attack class.

Adopt FIDO2 hardware keys for privileged accounts

Hardware keys cannot be remotely reset by a helpdesk agent and are immune to phishing. For administrator-level access to Salesforce, Workday, Microsoft 365, Google Workspace and similar critical SaaS, hardware keys are the strongest available control.

Configure real-time alerting on MFA resets

Most identity providers (Okta, Microsoft Entra, Google Workspace) can emit a signal on every MFA-reset event for privileged accounts. Send these to your SOC or a dedicated channel so resets can be reviewed within minutes, not hours.

Monitoring and Reporting

Resources for breach response and identity protection.

Report business-email compromise attempts

If you receive a suspicious email referencing your Workday role or company context, report it to your security team and to ReportCyber (ACSC) in Australia. Reporting helps authorities track the wider campaign and may protect peers at other organisations.

Contact IDCare for personal exposure

IDCare (1800 595 160) is Australia's national identity and cyber support service. They can provide tailored guidance for business contacts whose data has been exposed in B2B-themed breaches.

Not sure which of your business accounts are affected?

In The Event Of discovers your accounts automatically and alerts you in real time when new breaches affect your data.

Check My Email Free

Are You Still at Risk?

Compound Risk: Workday Plus the Wider Salesforce Campaign

The Workday Salesforce CRM breach is one of many incidents from a coordinated 2025 vishing campaign. If your business contact data appears in two or more victim CRMs, the cumulative profile makes targeted impersonation significantly easier.

Why this matters

The same threat actors hit Qantas, Allianz Life, Workday and dozens of others through the same playbook. A spear-phishing attack against you that references real CRM context from multiple of these companies is far more likely to succeed than a generic phishing email. The defence is consistent hygiene across all of your B2B vendor relationships, not just any one.

  • Salesforce ShinyHunters Campaign (2025)~1B aggregate - parent vishing campaign
  • Allianz Life (2025)2.8M - same playbook, same threat actor
  • Qantas (2025)5.7M - same playbook, same threat actor
  • Salesloft Drift (2025)700K - related supply-chain compromise

In The Event Of can overlay your exposure across multiple breach datasets and tell you exactly where your compound risk is highest.

Were you affected?

Find out in 30 seconds. Free to check.

Check My Email Free

No credit card required.

Frequently Asked Questions

Workday Salesforce Breach FAQ

Sources

  1. CSO Online: "ShinyHunters strike again: Workday breach tied to Salesforce targeted social engineering wave"
  2. Workday: Trust & Security
  3. Salesforce: customer guidance on vishing-resistance
  4. OAIC: Notifiable Data Breaches Scheme (Australia)
  5. OAIC: What is personal information? (Privacy Act 1988 categories)
  6. OAIC: Australian Privacy Principles

Other Major Australian Data Breaches

Data from multiple breaches can be combined to increase identity fraud risk. Review these guides to understand your full exposure.

NYC Health + Hospitals Data Breach 2026

~1.8M records exposed

Critical

Australian Courts Data Breach 2026

Thousands of files records exposed

Critical

youX Data Breach 2026

~444K records exposed

High

Prosura Data Breach 2026

300K-500K records exposed

High

Canvas (Instructure) Data Breach 2026

~275M (claimed) records exposed

Medium

Booking.com Data Breach 2026

Undisclosed records exposed

High

McGraw Hill Data Breach 2026

13.5M records exposed

High

Crunchyroll Data Breach 2026

Undisclosed records exposed

High

Eurail Data Breach 2026

300K+ records exposed

High

Basic-Fit Data Breach 2026

1M records exposed

High

Under Armour Data Breach 2025

72M records exposed

High

Salesforce (ShinyHunters) Data Breach 2025

~1B records exposed

High

Allianz Life Data Breach 2025

2.8M records exposed

High

Western Sydney University Data Breach 2025

10K records exposed

High

Genea Fertility Data Breach 2025

940K records exposed

Critical

DeepSeek Data Breach 2025

1M records exposed

Medium

Tangerine Telecom Data Breach 2024

232K records exposed

High

Australian Clinical Labs Data Breach 2022

223K records exposed

Critical

Qantas Data Breach 2025

5.7M records exposed

High

Optus Data Breach 2022

9.8M records exposed

Critical

Medibank Data Breach 2022

9.7M records exposed

Critical

Latitude Financial Data Breach 2023

14M records exposed

Critical

MyDeal (Woolworths) Data Breach 2022

2.2M records exposed

High
View all breach guides →

Disclaimer: This guide is provided for general informational purposes only and does not constitute legal, financial, or professional advice. The information is based on publicly available sources at the time of writing and may not reflect the most current developments. In The Event Of Pty Ltd (ABN 38 687 352 647) is not affiliated with Workday, Inc. or Salesforce, Inc. If you believe you have been affected by this data breach, we recommend contacting the relevant authorities and seeking professional guidance specific to your circumstances.