Hackers steal data through Workday’s third-party database

Photo by Mika Baumeister on Unsplash
By: Jennifer Blair

In August 2025, a third-party customer relationship database connected to Workday, a widely used hiring and job application platform, was compromised by hackers, exposing personal information, as reported by TechCrunch.

 

Hackers accessed and stole an unknown quantity of personal information from the compromised database, which Workday said was primarily used to store contact details such as names, email addresses, and phone numbers.

 

Workday noted that the breach did not open access to customer tenants or the data stored within them, which are used by corporate clients to manage HR files and employee records.

 

While the scope of the breach remains unclear, the company noted that the exposed information might facilitate social engineering tactics, in which hackers attempt to deceive individuals into revealing confidential data.

 

Scale of the Impact

 

Workday serves over 11,000 corporate customers and more than 70 million users worldwide, which highlights the potential reach of the breach. 

 

The company has not disclosed how many individuals were affected or whose data was involved and would not confirm whether it has the technical means (e.g., logs) to determine what data was compromised.

 

Lack of Transparency 

 

While Workday announced the data breach, reporting sources noted that Workday’s blog post disclosing the breach included a hidden “noindex” tag in its source code, which instructs search engines not to list the page in search results, making it more difficult for users to locate the notice online. 

 

The reason for keeping this breach disclosure hidden from search engines has not been explained.

 

Connection to Recent Salesforce-Linked Attacks

 

Workday did not identify the breached third-party database provider, however, the disclosure follows a series of recent cyberattacks on Salesforce-hosted systems used by major corporations, including Google, Cisco, Qantas, and Pandora. 

 

These incidents have been linked to the hacker group ShinyHunters by Google, a cybercrime group recognized for exploiting voice phishing tactics to obtain access to company cloud systems by deceiving employees. 

 

Google further speculated that ShinyHunters was potentially in the process of setting up a data leak site, aiming to extort victims into paying for the deletion of their stolen information, a method similar to that used by ransomware  groups.

 

Related Content:

Fog ransomware attack on Asian org used Syteca tracking tool 

Hackers abuse Kickidler time tracker in ransomware attacks

Microsoft releases screenshot monitoring feature for select PCs 

See All