Workday Confirms Data Breach: Hackers Compromise Customer Data and Case Information

Workday has confirmed that it experienced a data breach due to a security incident involving a third-party application, specifically Salesloft’s Drift application, which connects to Salesforce environments. On August 23, 2025, Workday became aware of the breach and took immediate action by disconnecting the app, invalidating its access tokens, and launching an investigation with the assistance of an external forensics firm. This incident underscores the ongoing risks associated with third-party integrations in enterprise environments. The breach was traced back to a compromise within Salesloft’s systems, which was confirmed on August 26, 2025, when Salesloft reported that a threat actor had breached its infrastructure, obtained OAuth credentials, and executed searches within its customers’ Salesforce environments. Workday’s investigation confirmed that its Salesforce instance was affected by this unauthorized access.

According to Workday’s investigation, which was verified by a third-party forensics firm, the threat actor’s access was limited to a small subset of information stored within its Salesforce environment. The exposed data included business contact information, basic support case details, tenant-related attributes, product and service names, training course records, and event logs. Importantly, the threat actor did not gain access to sensitive external files such as contracts or order forms. In response, Workday is proactively searching all support cases for any credentials that may have been inadvertently shared and will notify affected customers directly. To mitigate risks, Workday strongly urges all customers to rotate any credentials shared with its support teams and emphasises that sensitive information should never be included in support tickets. Additionally, Workday recommends following security best practices, including mandatory multi-factor authentication and regular phishing awareness training for employees. Confirmed victims of this supply chain attack include Palo Alto Networks and Zscaler. 

Categories: Data Breach, Third-Party Integration Risks, Security Recommendations 

Tags: Data Breach, Security Incident, Third-Party Application, Customer Information, Salesforce, Investigation, OAuth Credentials, Exposed Data, Multi-Factor Authentication, Supply Chain Attack