Workday on Aug. 15 reported that its third-party customer relationship management (CRM) platform was breached in a social engineering attack.

The company did not specify the platform that was attacked, but it did have all the hallmarks of the recent wave of Salesforce attacks, in that it was yet another social engineering attack in which credentials were stolen.

Workday posted in its blog that the type of information the threat actor obtained was mostly commonly available business contact information, such as names, email addresses and phone numbers – potentially to further its social engineering scams.

BleepingComputer reported that the Workday case was part of a wave of security incidents linked to ShinyHunters , which has been running extortion campaigns that target Salesforce accounts via social engineering and vishing.

“The Workday CRM incident shows the same playbook seen in the Salesforce-linked campaigns: social profiles are hijacked or spoofed, users are lured into legit-looking login flows, and stolen tokens or OAuth grants give deep access fast,” said J Stephen Kowski, field CTO at SlashNext Email Security.

Kowski said teams can block these attacks “at the point of click” with real-time link and QR inspection across email, mobile, browsers, and chat—plus rapid analysis that catches lookalike domains and phishing kits hosted on trusted platforms. He advised teams to backstop with identity defenses that detect session theft and MFA bypass, and auto-revoke risky OAuth tokens while enforcing least privilege.

The Workday breach echoes an ongoing wave of credential theft campaigns against CRM platforms, said Nic Adams, co-founder and CEO at 0rcus. Adams said these incidents succeed through social engineering, credential harvesting and privilege escalation once attackers gain access.