Workday hacked: HR giant Workday says hackers stole personal data in recent breach

Workday, the $70 billion HR and finance software giant, has joined the growing list of major companies caught up in a sweeping cyberattack campaign that’s targeting enterprise databases worldwide. The company confirmed that hackers broke into a third-party system it uses for customer relationship data and stole personal information.

In a blog post published late Friday, Workday said:

“We recently identified that Workday had been targeted and threat actors were able to access some information from our third-party CRM platform. There is no indication of access to customer tenants or the data within them. We acted quickly to cut the access and have added extra safeguards to protect against similar incidents in the future.”

According to Workday, attackers accessed names, phone numbers, and email addresses stored in a Salesforce-hosted database. While the company stressed there’s “no indication of access to customer tenants or the data within them,” the stolen information could still be weaponized in phishing and extortion schemes aimed at customers and employees.

Workday breach part of global cyberattack wave targeting corporate HR and finance data

The campaign behind the breach has already hit some of the biggest names in tech, retail, and travel—Google, Cisco, Qantas, and Pandora among them. Security researchers point to two familiar groups, Scattered Spider and ShinyHunters, as the likely culprits. Both are known for bypassing multi-factor authentication and impersonating IT or HR staff to trick victims into handing over credentials.

Unlike ransomware, these attacks don’t rely on malware. They’re driven by stolen logins and social engineering. Once inside, attackers often target administrators and executives, grab sensitive data, and then pressure companies to pay up. Even then, security experts warn that stolen data usually resurfaces later on black markets, fueling more scams.

Workday’s blog post, which disclosed the incident, said the company acted quickly to cut off the intrusion and has rolled out additional safeguards. “There is no indication of access to customer tenants or the data within them. We acted quickly to cut the access and have added extra safeguards to protect against similar incidents in the future,” the company said.

Still, the disclosure raised questions. As of publication, the blog post was hidden from search engines with a “noindex” tag, making it harder for affected customers to find. Workday declined to answer TechCrunch’s questions about how many people were impacted, whose data was stolen, or whether its internal logs could confirm what was taken.

With more than 11,000 corporate clients and at least 70 million users globally, Workday sits at the center of sensitive HR and finance operations. That makes it a prime target for groups like ShinyHunters, which Google recently said may be preparing a data leak site to pressure victims into paying to suppress stolen records—similar to ransomware playbooks.

The attack on Workday adds another high-profile name to the growing roster of companies whose Salesforce databases have been breached in recent weeks. Adidas, Allianz Life, Dior, Louis Vuitton, and Air France-KLM are among those believed to have been targeted in the same campaign.

For now, Workday is sticking to its line that customer tenants weren’t breached. But with attackers already armed with a trove of business contacts, the real fallout may come in the next wave of phishing calls and emails landing in inboxes worldwide.