Workday Confirms Data Breach – Hackers Accessed Customers Data and Case Information

Workday has confirmed it suffered a data breach after a security incident involving a third-party application that compromised customer information.

The breach originated from Salesloft’s Drift application, which connects to Salesforce environments.

On August 23, 2025, Workday became aware of the issue and immediately disconnected the app, invalidated its access tokens, and initiated an investigation with the support of an external forensics firm. The incident highlights the persistent risks associated with third-party integrations in enterprise environments.

The root cause of the breach was a compromise within Salesloft’s systems. On August 26, 2025, Salesloft confirmed that a threat actor had breached its infrastructure, obtained OAuth credentials, and used them to execute searches within its customers’ Salesforce environments.

Workday’s own investigation confirmed that its Salesforce instance was impacted by this unauthorized access.

In response, Workday promptly began evaluating all of its vendors that utilize the Drift application to assess the full scope of the incident and prevent further unauthorized activity. The company emphasized that its core customer tenants were not directly accessed or compromised through this vector.

Data Exposed

According to Workday’s investigation, which a third-party forensics firm verified, the threat actor’s access was limited to a very small subset of information stored within its Salesforce environment.

The exposed data includes business contact information, basic support case details, tenant-related attributes such as tenant and data center names, product and service names, training course records, and event logs.

Crucially, the threat actor did not gain access to sensitive external files like contracts, order forms, or any attachments that customers may have included in support cases.

Workday is proactively searching all support cases for any credentials that may have been inadvertently shared and will notify affected customers directly.

Out of an abundance of caution, Workday is strongly urging all customers to immediately rotate any credentials that may have been shared with its support teams through a support case.

The company reiterated its advice that customers should never include sensitive information, such as login credentials, in support tickets.

In addition to this primary recommendation, Workday advised customers to follow security best practices, including the mandatory use of multi-factor authentication, conducting regular phishing awareness training for employees, and actively monitoring user activity for any signs of suspicious behavior. Salesloft has also published its own security recommendations for customers to review.

Confirmed victims of this supply chain attack include:

• Palo Alto Networks: The cybersecurity firm confirmed the exposure of business contact information and internal sales data from its CRM platform.
• Zscaler: The cloud security company reported that customer information, including names, contact details, and some support case content, was accessed.
• Google: In addition to being an investigator, Google confirmed a “very small number” of its Workspace accounts were accessed through the compromised tokens.
• Cloudflare: Cloudflare has confirmed a data breach where a sophisticated threat actor accessed and stole customer data from the company’s Salesforce instance.
• PagerDuty has confirmed a security incident that resulted in unauthorized access to some of its data stored in Salesforce.
• Tenable has confirmed a data breach that exposed the contact details and support case information of some of its customers.
• Qualys has confirmed it was impacted by a widespread supply chain attack that targeted the Salesloft Drift marketing platform, resulting in unauthorized access to a portion of its Salesforce data.
• Dynatrace has confirmed it was impacted by a third-party data breach originating from the Salesloft Drift application, resulting in unauthorized access to customer business contact information stored in its Salesforce CRM.
• Elastic has disclosed a security incident stemming from a third-party breach at Salesloft Drift, which resulted in unauthorized access to an internal email account containing valid credentials.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.