Attackers have accessed names, emails, and phone numbers; linked to ShinyHunters group using rigged OAuth apps.

On 15 August, a Software-as-a-Service (SaaS) firm had disclosed in a blog post that attackers had gained access to one of its third-party customer relationship management (CRM) platforms through social engineering tactics, accessing business contact information.

The attackers had reportedly impersonated HR and IT personnel to manipulate staff and gain access to the CRM system. The information taken primarily included names, email addresses, and phone numbers, which could be used in phishing or vishing scams.

Upon discovering the breach, the firm involved, Workday, is said to have quickly revoked the attackers’ access and implemented additional security measures to prevent future incidents. It has informed affected customers and partners, advising them to be cautious of potential scams linked to the exposed contact details. However, the firm has chosen not to disclose the identity of the third-party CRM or specific details about how many customers were impacted, fueling speculation about efforts to manage reputational damage and minimize scrutiny.

Investigators and independent security experts have connected the incident to ShinyHunters, a well-known threat group that has targeted other cloud platforms in recent months. Recent activity indicates that ShinyHunters may be collaborating with other hacking crews, including Scattered Spider and Lapsus$, sharing methods and possibly victim lists through private online forums. The technique usually involves using social engineering and vishing/phishing tactics to trick key personnel into downloading an rigged OAuth app or handing over their credentials inadvertently.

On social media platforms, commentators have criticized the lack of clarity on the exact CRM vendor, and the scope of data accessed remains a focal point for continued skepticism and debate. Meanwhile, the firm maintains that its central systems remain intact, and customer data has been quarantined from the affected CRM.

Nonetheless, the incident highlights the increasing effectiveness of social engineering attacks and the critical need for organizations to fortify employee awareness and system safeguards.