Workday Confirms Data Breach: Hackers Steal Personal Information from Third-Party Database

Workday, one of the world’s largest providers of HR technology, has confirmed that hackers managed to steal personal data in a recent breach involving one of its third-party customer relationship databases.

In a late-Friday blog post, the company disclosed that attackers exfiltrated an unspecified amount of personal details from the database, which was primarily used to hold basic contact records such as names, email addresses, and phone numbers.

It is interesting that Workday did not say clearly that no customer data was impacted. Instead, it carefully emphasized that there was “no indication of access to customer tenants or the data stored within them”—a pointed distinction, since those customer systems typically hold far more sensitive HR files and employee records.

The company warned that the stolen information could be weaponized in social-engineering schemes, where scammers manipulate or pressure victims into handing over sensitive credentials or access.

According to Workday’s website, it serves more than 11,000 enterprise clients globally, covering at least 70 million users. Bleeping Computer, a tech website, claims that the breach was found on August 6.

While Workday did not name the compromised platform, recent attacks have heavily targeted Salesforce-hosted databases, which many corporations use for storing customer information. In recent weeks, Google, Cisco, Qantas, and retailer Pandora all confirmed data theft from their Salesforce environments.

Google has attributed those incidents to the hacker collective ShinyHunters, known for “voice phishing” employees in order to gain access to cloud-based databases. The group is reportedly working on a leak-site model akin to ransomware operations, where stolen data is published unless victims pay for its deletion.

When pressed for details, Workday spokesperson Conor Spillmaker declined to go beyond the company’s blog statement. He would not confirm how many individuals were affected, whether the victims were Workday staff or its corporate clients, or if Workday even has the technical logging needed to determine what specific data was stolen.

Adding to the opacity, Workday’s disclosure blog post included a hidden “noindex” tag in its source code—an instruction that prevents search engines from indexing the page, effectively making it difficult for the public to find.

Why the company is intentionally hiding its breach disclosure from search results remains unclear.