Workday Data Breach Exposed Customer Data and Case Details

Major enterprise software provider Workday has disclosed a significant security incident that exposed customer data through a compromised third-party application, affecting business contact information and support case details.

Third-Party Security Breach

On August 23, 2025, Workday discovered a critical security vulnerability in Salesloft’s Drift application, a third-party tool integrated with Salesforce systems.

The cloud-based human resources and financial management company immediately disconnected the compromised application and invalidated all associated tokens to prevent further unauthorized access.

The security incident originated when threat actors successfully compromised Salesloft’s systems and obtained OAuth credentials, which they subsequently used to conduct unauthorized searches within customer Salesforce environments.

Salesloft confirmed these findings on August 26, 2025, through an official statement published on their trust website.

Workday’s investigation, conducted with assistance from an external forensic firm, revealed that attackers gained access to a limited subset of data from the company’s Salesforce environment.

The compromised information included business contact details, basic support case information, tenant-related attributes such as names and data center locations, product and service information, training course records, certificates, and system event logs.

Despite the security breach, Workday has confirmed that threat actors did not gain access to customer tenants through the Drift connection.

The company’s forensic investigation verified that external files stored in Salesforce, including contracts, order forms, and customer attachments submitted through support cases, remained secure and inaccessible to the attackers.

However, Workday acknowledged that Salesforce support cases may contain text from customer support tickets, potentially including sensitive information despite company policies advising against sharing credentials in support communications.

The organization is conducting a comprehensive review of all affected cases and will directly notify customers if sensitive information specific to their accounts is discovered.

In response to the incident, Workday is urging all customers to immediately rotate any credentials that may have been shared through support cases as a precautionary measure.

The company has outlined several security best practices, including implementing multi-factor authentication, requiring step-up authentication for sensitive operations, conducting regular phishing awareness training, and monitoring user activity with notifications for sensitive information changes.

Workday emphasized that trust and transparency remain central to their operations, apologizing for any inconvenience caused by the security incident.

The company continues working with cybersecurity experts to ensure complete system integrity and prevent similar third-party application vulnerabilities from affecting their infrastructure in the future.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.