Hackers steal data through Workday’s third-party database

In August 2025, a third-party customer relationship database connected to Workday, a widely used hiring and job application platform, was compromised by hackers, exposing personal information, as reported by TechCrunch.
Hackers accessed and stole an unknown quantity of personal information from the compromised database, which Workday said was primarily used to store contact details such as names, email addresses, and phone numbers.
Workday noted that the breach did not open access to customer tenants or the data stored within them, which are used by corporate clients to manage HR files and employee records.
While the scope of the breach remains unclear, the company noted that the exposed information might facilitate social engineering tactics, in which hackers attempt to deceive individuals into revealing confidential data.
Connection to Recent Salesforce-Linked Attacks
Workday did not identify the breached third-party database provider, however, the disclosure follows a series of recent cyberattacks on Salesforce-hosted systems used by major corporations, including Google, Cisco, Qantas, and Pandora.
Those incidents have been linked to the hacker group ShinyHunters by Google, A cybercrime group recognized for exploiting voice phishing tactics to obtain access to company cloud systems by deceiving employees.
Google further reported that ShinyHunters was in the process of setting up a data leak site, aiming to extort victims into paying for the deletion of their stolen information, a method similar to that used by ransomware groups.
Scale of the Impact
Workday serves over 11,000 corporate customers and more than 70 million users worldwide, which highlights the potential reach of the breach.
The company has not disclosed how many individuals were affected or whose data was involved and would not confirm whether it has the technical means (e.g., logs) to determine what data was compromised.
Lack of Transparency
Workday’s page disclosing the data breach included a hidden “noindex” tag in its source code, which instructs search engines not to list the page in search results, making it more difficult for users to locate the notice online.
The reason for keeping this breach disclosure hidden from search engines has not been explained.
Related Content:
Fog ransomware attack on Asian org used Syteca tracking tool
Hackers abuse Kickidler time tracker in ransomware attacks
Microsoft releases screenshot monitoring feature for select PCs