ShinyHunters Breach Workday in Latest Salesforce Attack
Workday was hit by a breach linked to ShinyHunters’ global campaign. Attackers accessed CRM data in the latest of many Salesforce-targeted incidents.
Note: This campaign is still ongoing, with new breaches surfacing daily.
What Happened: Workday, the human resources giant, has been breached after attackers gained access to a third-party customer relationship management (CRM) platform in a recent social engineering attack. Although Workday has not confirmed it, this attack is likely linked to ShinyHunters’ expansive campaign in recent months.
Attacks In-Depth: In a blog post published Friday, Workday explains that ShinyHunters stole personal information including names, email addresses, and phone numbers.
The Impact: Workday has stated there was “no indication of access to customer tenants or the data within them”. However, the stolen information may be weaponized in future social engineering scams.
Attack Techniques: Similar to past Salesforce attacks, ShinyHunters posed as HR staff in a social engineering ploy, tricking employees into giving up information.
Workday’s Response: Workday has blocked the compromised CRM, implemented additional security measures, and warned customers about impersonation risks.
Broader Campaign: This breach is just the latest event in a wave of Salesforce-targeted attacks tied to ShinyHunters. The threat group has already hit major industry leaders like Google, Adidas, Qantas, and Air France, among others. They’ve also recently leaked the data of one of their victims, insurance giant Allianz Life.
Why This Matters:
Cybersecurity incidents are rarely isolated. Instead, they unfold as large-scale campaigns like these. Threat actors move laterally across ecosystems, leveraging data and insights from earlier breaches to fuel their next wave of attacks.
It is critical to note that these incidents do not indicate any inherent vulnerability in Salesforce. These breaches highlight the importance of the shared responsibility model, where organizations must properly secure their accounts, credentials, and access controls in addition to Salesforce’s built-in protections.
Taking a Step Back:
SaaS is a massive blindspot for most organizations. While investments flow into traditional defenses like zero trust architecture and IdP, attackers are targeting SaaS, where visibility is low and controls are fragmented.
Threat actors are increasingly sophisticated, and with the rise of AI tools, it is likely that attacks will become more frequent and harder to detect. AI can enable more convincing phishing campaigns, automate reconnaissance, and scale attacks, raising the stakes for organizations everywhere.
Humans are often the weakest link in the security chain. Despite robust technical safeguards, social engineering tactics like vishing exploit human vulnerabilities, leading to unintentional security breaches.
Prevention Methods:
General Strategies:
Ensure visibility and monitoring over SaaS applications. SaaS attacks are up 300% year over year, highlighting the need for proactive security.
Educate staff on vishing and social engineering threats
Educate staff on fake SSO phishing sites
Ensure staff are only granted the permissions needed for their role
Control access to Connected Applications
Restrict access to named IP ranges
For Obsidian customers:
Monitor Obsidian alerts for any related to Salesforce or Okta
Consistently review native and 3rd-Party application integrations in your core SaaS applications. Obsidian's Integration Risk Management (IRM) capabilities allow you to not only monitor addition or modification of privileges/scopes but also allows you to gain visibility into how these integrations are being used or interacted with.
Use Obsidian’s Browser Extension to detect and automatically block Identity Takeovers (ATO) from advanced phishing kits (such as Evilginx reverse proxy websites)
