Shawn - stock.adobe.com

News

Workday hit in wave of social engineering attacks

A campaign of voice-based social engineering attacks targeting users of Salesforce’s services appears to have struck HR platform Workday

Alex Scroxton
By
Published: 18 Aug 2025 16:45

Human resources (HR) platform provider Workday has become the latest large organisation to fall victim to a cyber attack originating through a third-party supplier, as the impact of a wave of cyber attacks – likely orchestrated through Salesforce products and linked to the ShinyHunters cyber crime collective – continues to reverberate.

In a notice published just prior to the weekend of 16–17 August, the firm said it had fallen victim to a social engineering campaign “targeting many large organisations”.

Cyber news outlet Bleeping Computer firmed up a link to Salesforce. Workday named neither the threat actor or the software supplier involved.

“We recently identified that Workday had been targeted and threat actors were able to access some information from our third-party CRM [customer relationship management] platform,” the company said.

“There is no indication of access to customer tenants or the data within them. We acted quickly to cut the access and have added extra safeguards to protect against similar incidents in the future.

“The type of information the actor obtained was primarily commonly available business contact information, like names, email addresses, and phone numbers, potentially to further their social engineering scams,” it continued.

“It’s important to remember that Workday will never contact anyone by phone to request a password or any other secure details. All official communications from Workday come through our trusted support channels.”

ShinyHunters

The breach of Workday’s systems puts it among a growing number of companies to have been compromised by ShinyHunters in the past few weeks, including the likes of Adidas, Air France-KLM, Allianz, Google, multiple LVMH brands, Pandora and Qantas, in a campaign that closely mirrors a similar series of cyber attacks conducted by the Scattered Spider group – including the April hack of Marks & Spencer.

Threat attribution is a notoriously imprecise science, but a growing body of evidence now suggests that ShinyHunters and Scattered Spider are, at the very least, aligned somewhat through shared links to a wider underground group known as The Com, and may in fact be one and the same, according to ReliaQuest.

Researchers at Flashpoint are also now making the connection, going so far as to tentatively attribute the current wave of CRM-linked breaches to Scattered Spider in a briefing document published on 15 August.

Offering more evidence of a connection, the Flashpoint teamed also noted that Scattered Spider now appears to have shifted primarily to voice-based phishing (vishing) as its “primary social engineering technique”, a departure from tactics that closely mirrored the preferred methods of ShinyHunters.

Manipulation and trickery

Regardless of the attackers’ true identities, the latest cyber attack in the current campaign highlights that a great many of the most high-profile and damaging data breaches of recent months arose not through software vulnerabilities, but through simple manipulation and trickery of ordinary employees going about their day-to-day work.

Dray Agha, senior manager of security operations at Huntress, said this trend highlighted the need for businesses to adopt three core “non-negotiable” defences.

“Eliminate OAuth blind spots, enforce strict allow-listing for third-party app integrations, and review connections at a regular interval,” he said. “Adopt phishing-resistant MFA: hardware tokens are essential, as ‘MFA fatigue’ attacks remain trivial.

“A huge number of attacks begin with social engineering, users being deceived, and user enrolment in the execution of malware – effective security awareness training is a must for any organisation that wishes to repudiate cyber attacks.”

Timeline: Scattered Spider, ShinyHunters, and social engineering

  • 22 April 2025: A cyber attack at M&S has caused significant disruption to customers, leaving them unable to make contactless payments or use click-and-collect services.
  • 24 April: M&S is still unable to provide contactless payment or click-and-collect services amid a cyber attack that it says has forced it to move a number of processes offline to safeguard its customers, staff and business.
  • 25 April: M&S shuts down online sales as it works to contain and mitigate a severe cyber attack on its systems.
  • 29 April: An infamous hacking collective may have been behind the ongoing cyber attack on M&S that has crippled systems at the retailer and left its ecommerce operation in disarray.
  • 30 April: A developing cyber incident at Co-op has forced the retailer to pull the plug on some of its IT systems as it works to contain the attack.
  • 1 May: Co-op tells staff to stop using their VPNs and be wary that their communications channels may be being monitored, as a cyber attack on the organisation continues to develop.
  • 1 May: Harrods confirms it is the latest UK retailer to experience a cyber attack, shutting off a number of systems in an attempt to lessen the impact.
  • 2 May: The National Cyber Security Centre confirms it is providing assistance to M&S, Co-op and Harrods as concerns grow among UK retailers.
  • 7 May: No end is yet in sight for UK retailers subjected to apparent ransomware attacks.
  • 13 May: M&S is instructing all of its customers to change their account passwords after a significant amount of data was stolen in a DragonForce ransomware attack.
  • 14 May: Google’s threat intel analysts are aware of a number of in-progress cyber attacks against US retailers linked to the same gang that supposedly attacked M&S and Co-op in the UK.
  • 20 May: Cold chain services provider Peter Green Chilled, which supplies the likes of Aldi, Sainsbury’s and Tesco, has been forced to halt operations after succumbing to a ransomware attack.
  • 4 June: A threat group is using voice phishing to trick targeted organisations into sharing sensitive credentials, according to Google. (Cybersecurity Dive)
  • 11 June: So-called Black Swan events expose the blind spots in even the most sophisticated forecasting models, signalling a need to rethink how businesses, and those investing in them, quantify and prepare for cyber risk.
  • 13 June: The recent spate of cyber attacks on UK retailers has to be a wake-up call to build more cyber resilience into digital supply chains and fortify against social engineering attacks.
  • 17 June: Following a series of high-profile attacks on prominent retailers and consumer brands, a group of criminal hackers appears to be expanding their targeting to the insurance sector.
  • 20 June: The UK’s Cyber Monitoring Centre has published its first in-depth assessment of a major incident, reflecting on the impact of and lessons learned from cyber attacks on M&S and Co-op.
  • 26 June: US authorities have unsealed charges against 25-year-old hacker Kai West, aka IntelBroker, accusing him of being behind multiple cyber attacks.
  • 27 June: Multiple reports are emerging of cyber attacks on airlines – Google Cloud’s Mandiant believes them to be linked.
  • 2 July: Australian flag carrier Qantas is investigating significant data theft of personal information for up to 6 million customers after a third-party platform used by its call centre was compromised.
  • 2 July: A developing cyber attack at Australian airline Qantas that started at a third-party call centre is already being tentatively attributed to the same gang that hit UK retailers. Find out more and learn about the next steps for those affected.
  • 8 July: The government should extend ransomware reporting mandates to businesses to help gather more intelligence and better support victims, says M&S chairman Archie Norman.
  • 9 July: Australian flag carrier Qantas begins notifying millions of individuals after a cyber attack on a call centre, confirming that while financial and passport details are safe, a significant volume of other personal information was compromised.
  • 10 July: Police have made four arrests in connection with a trio of cyber attacks on UK retailers Marks & Spencer, Co-op and Harrods.
  • 14 July: French luxury goods retailer LVMH has disclosed multiple cyber attacks in 2025 so far, and their impact is now spreading to the UK as a new incident affecting Louis Vuitton comes to light.
  • 16 July: Microsoft warns users over notable evolutions in Scattered Spider's attack playbook, and beefs up some of the defensive capabilities it offers to customers in response.
  • 16 July: Co-op chief executive Shirine Khoury-Haq has revealed that all the personal data of all 6.5 million of its members was compromised in the April 2025 cyber attack on its systems.
  • 24 July: Cleaning products manufacturer Clorox fell victim to a Scattered Spider social engineering attack two years ago – it blames its IT helpdesk provider, Cognizant.
  • 30 July: CISA, the FBI, NCSC and others have clubbed together to update previous guidance on Scattered Spider's playbook, warning of new social engineering tactics and exploitation of legitimate tools, among other things.
  • 7 August: Air France - KLM alerts authorities of a data breach in which threat actors were able to get away with names, email addresses, phone numbers, and more. (Dark Reading)
  • 7 August: ShinyHunters is back, with low-tech hacks that nonetheless manage to bring down international megaliths like Google, Cisco, and Adidas. (Dark Reading)
  • 11 August: Computer Weekly gets under the skin of an ongoing wave of ShinyHunters cyber attacks orchestrated via social engineering against Salesforce users.
  • 12 August: ReliaQuest researchers present new evidence that firms up a potential link, or outright partnership, between the ShinyHunters and Scattered Spider cyber gangs

Read more on Data breach incident management and recovery