Workday, the global HR software provider used by more than 11,000 organizations—including over 60% of Fortune 500 companies—has confirmed a data breach caused by a social engineering attack. Unlike traditional hacks that exploit system vulnerabilities, this incident highlights an uncomfortable truth: the weakest link in cybersecurity is often human. On August 6, 2025, attackers impersonated HR and IT staff through phone calls and SMS messages. By tricking employees into sharing credentials, they gained unauthorized access to Workday’s Salesforce CRM system. The data exposed included names, business emails, and phone numbers. Some may dismiss names and email addresses as “low-risk.” In reality, these details are the perfect ammunition for attackers. If someone calls or emails you already knowing your role, manager, or department, it becomes much harder to recognize fraud.
Workday Confirms Security Breach Linked to Salesforce Attack
Global HR software giant Workday, which provides human resources and financial management platforms to more than 11,000 organizations—including over 60% of Fortune 500 companies—has officially confirmed a recent social engineering attack.
According to Workday, the incident compromised certain data stored on its third-party Salesforce CRM platform. Tech outlet BleepingComputer reported that the attack is tied to the recent large-scale Salesforce database intrusion, which has already affected several international brands such as Adidas, Google, Qantas, Chanel, and Louis Vuitton.
The breach occurred on August 6, 2025, when attackers posed as HR or IT staff via phone calls and SMS messages to trick Workday employees into revealing account credentials or sensitive information. With these details, the threat actors gained access to Salesforce-stored contact data.
On August 15, Workday issued a public statement stressing that no customer tenants or core system data were compromised. However, the company acknowledged that a significant amount of business contact information—including names, email addresses, and phone numbers—was exposed.
“We want to inform you that several large institutions, including Workday, have been targeted by recent social engineering campaigns. While we found no evidence that customer tenant data was accessed, the information obtained mainly included common business contact details such as names, email addresses, and phone numbers.” — Workday Official Statement
Workday also warned that these leaked details could be used in follow-up phishing or social engineering scams, urging organizations to remain cautious.
Interestingly, some users on Reddit noticed that Workday’s official disclosure page contained a hidden “noindex” tag, preventing search engines from indexing the announcement. Critics argued that this move may have been intended to protect the company’s reputation, sparking concerns that transparency and user protection were not prioritized.
What Is a Social Engineering Attack?
In the case of the Workday data breach, the attackers didn’t rely on a traditional technical vulnerability. Instead, the breach was made possible through a social engineering attack—a method that exploits human behavior rather than directly targeting systems.
At its core, social engineering is about manipulation and deception. Social engineering doesn’t target computers, iit targets people. Hackers pose as “trusted” staff or partners and trick employees into giving away access.
For example, attackers may impersonate IT or HR staff, contacting employees via phone or email. They often request the employee to click a link and authorize what appears to be a legitimate business application. In reality, this could be a malicious OAuth app, granting hackers valid access credentials to the company’s systems.
The Top 3 Social Engineering Tactics Users and Businesses Should Watch Out For
The leaked names, phone numbers, and email addresses from the Workday incident may seem ordinary at first glance. But in the hands of cybercriminals, this data becomes the perfect fuel for social engineering attacks. With just these details, attackers can craft highly convincing phishing emails or make scam phone calls that appear legitimate.
For example, imagine receiving a call from your company’s “IT support” team. If the caller knows your full name, department, and even your direct manager’s name, it becomes much harder to recognize the call as a scam. This personalization makes victims far more likely to comply with fraudulent requests.
1. Phishing 2.0 (Spear Phishing):
Traditional phishing emails were often easy to spot—poor grammar, suspicious sender addresses, or generic greetings quickly gave them away. But with access to leaked names, job titles, and company details, attackers can now craft personalized phishing campaigns, also known as spear phishing.
For example, a message titled “Workday Security Verification Notice” may appear to come from an official company address. If it greets you by your full name and uses the same formatting as legitimate Workday communications, the chances of you clicking the link or providing credentials increase dramatically.
2. Phone-Based Scams (Vishing)
Following a data breach, attackers may directly call employees, posing as HR or IT support staff. They often claim the call is part of a “security verification” or “system update process.” Since the caller already knows the employee’s name, department, or role, the interaction feels authentic, making it much harder for the victim to question.
This type of phone-based scam, known as vishing (voice phishing), has long been common in the financial sector. Now, it’s increasingly making its way into enterprise SaaS environments, targeting platforms like Workday.
3. Business Email Compromise (BEC)
If attackers take impersonation a step further, they can launch Business Email Compromise (BEC) scams. In these schemes, hackers pose as executives, clients, or business partners to manipulate victims into transferring money or sharing sensitive information.
Common examples include:
- A fake email from a manager instructing an employee to make an urgent wire transfer.
- Fraudulent invoices requesting payment.
- Impersonation of a vendor requesting updated bank account details.
These scams are effective precisely because attackers often have access to enough real business information—such as names, departments, or partner details—to make their requests seem legitimate.
How to Protect Your Company from Social Engineering Attacks
If there’s one takeaway from the Workday breach, it’s this: training employees is just as important as securing systems. Organizations must adopt layered defenses that address both human error and technical risk.
1. Strengthen Employee Security Awareness
Employees are often the weakest link in cybersecurity. Companies should conduct regular phishing simulations and security awareness training to help staff recognize suspicious emails, phone calls, or login requests before falling victim to scams.
2. Control Third-Party Access Strictly
The Workday incident highlights an important truth: while a core platform may be secure, third-party integrations can introduce vulnerabilities.
✔ Enforce the principle of least privilege for all third-party apps.
✔ Regularly review and audit OAuth permissions and API access.
3. Implement Strong Multi-Factor Authentication (MFA)
Passwords and basic two-factor codes are no longer enough. Advanced MFA solutions—like Keypasco MFA developed by Lydsec—offer passwordless authentication using FIDO2 standards, biometric authentication, geolocation checks, device recognition, and dual-channel encryption. This makes phishing and man-in-the-middle attacks ineffective, securing millions of users globally.
Keypasco Multi-Factor Authentication (MFA), developed by Lydsec, delivers a high-security, passwordless login experience by integrating FIDO2 and FIDO UAF standards. Only authorized users can log in from their registered device, at the designated location, and within a specific timeframe. Its patented dual-channel authentication architecture separates login and verification encryption, effectively preventing man-in-the-middle (MiTM), browser-based MiTB attacks, phishing, and account takeover (ATO). Already trusted by financial institutions and enterprises, Keypasco MFA secures millions of users worldwide.
4. Adopt Zero Trust Network Access
Zero Trust assumes: “Never trust, always verify.” Every login attempt, internal or external, must be validated based on identity, device, behavior, and real-time risk. Keypasco ZTNA delivers this approach with identity verification, device authentication, and trust inference—ensuring that even if one account is compromised, attackers cannot freely move across the network.
- Never trust devices, users, or applications by default
- Require identity verification, behavior analysis, and risk assessment for each access attempt
- Grant access dynamically based on current risk level
This means even internal staff, outsourced teams, and vendors must go through multiple layers of verification and operate under restricted permissions. It prevents attackers from moving laterally across your network if one account is compromised through social engineering or phishing.
Keypasco ZTNA is a cybersecurity solution built on Zero Trust Network Access principles. Developed in line with U.S. NIST and CISA standards, as well as Taiwan’s government Zero Trust framework, it is certified by the National Institute of Cyber Security. Keypasco ZTNA employs identity verification, device authentication, and trust inference technologies to help organizations achieve comprehensive and robust cybersecurity protection.
- Identity Verification: Offers multi-factor authentication, including FIDO U2F and FIDO2 solutions.
- Device Authentication: Scans device attributes and software information, storing them on Keypasco servers for device validation.
- Trust Inference: Uses artificial intelligence to analyze behavior, continuously assess risk, and trigger additional authentication when needed.
The Workday breach is another reminder that in cybersecurity, people are the new perimeter. Hackers didn’t break into Workday through code—they simply convinced someone to open the door. Organizations that rely only on technical defenses miss this human factor. True resilience requires a combined strategy: employee awareness, reducing third-party risks, and implementing advanced MFA and Zero Trust technologies.
Keypasco meets global standards and is trusted by government, finance, healthcare, smart building, and high-tech organizations worldwide. As cyber threats evolve, we remain committed to empowering organizations with robust, future-ready security solutions. This ensures that they stay compliant, resilient, and ahead of the curve in a rapidly changing digital landscape.
English 
Japanese