{ "id": "bfd538c1-3124-4939-99e1-32bf38314074", "created_at": "2026-04-29T02:20:30.635232Z", "updated_at": "2026-04-29T08:21:16.099036Z", "deleted_at": null, "sha1_hash": "662a514c4800847a122d8f80b44eaf909e5f870a", "title": "Hackers target Workday in social engineering attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 407001, "plain_text": "Hackers target Workday in social engineering attack\r\nBy David Jones\r\nPublished: 2025-08-19 · Archived: 2026-04-29 02:11:20 UTC\r\nAn article from\r\nResearchers cite increasing evidence of collaboration between Scattered Spider and the cybercrime group\r\nShinyHunters in the campaign.\r\nPublished Aug. 19, 2025\r\nAn aerial view of Workday headquarters on Feb. 6, 2025 in Pleasanton, California. The company\r\nwas targeted in a social engineering campaign that snagged a CRM vendor. Justin Sullivan via Getty\r\nImages\r\nhttps://www.cybersecuritydive.com/news/hackers-target-workday-in-social-engineering-attack/758095/#:~:text=Researchers%20cite%20increasing%20evidence%20of,told%20Cybersecurity%20Dive%20via%20email.\r\nPage 1 of 2\n\nWorkday has confirmed that it fell victim to a wide-ranging social engineering campaign that allowed hackers to\r\naccess information at one of its third-party vendors. \r\nThe hackers work by impersonating IT and human-resources personnel in order to trick employees into sharing\r\ntheir personal information and account credentials, Workday said in a blog post published Friday.\r\nBreaching the customer-support system gave the hackers access to support tickets that included Workday\r\ncustomers’ names, email addresses and phone numbers, which the hackers could use to conduct further social-engineering attacks. But Workday said there was no sign that the intruders had accessed data stored on its own\r\nservers.\r\n“All signs show that our customer Workday data remains secure,” a spokesperson told Cybersecurity Dive via\r\nemail. \r\nWorkday is a major AI-based platform for managing human resources and payments. More than 11,000\r\norganizations around the world use its services, including more than 60% of the Fortune 500.\r\nThe attack follows a string of social-engineering intrusions linked to ShinyHunters, a hacker group associated\r\nwith an underground cybercrime collective known as The Com. The Com also has ties to the notorious hacker\r\nteam Scattered Spider, which has targeted companies in multiple industries over the past several months, including\r\nretail, insurance and aviation. \r\nShinyHunters has launched numerous attacks in recent months targeting Salesforce instances, according to\r\nresearchers at Google. The group targeted one of Google’s own Salesforce instances earlier this month. \r\nReliaquest recently published evidence of possible collaboration between ShinyHunters and Scattered Spider,\r\nincluding ticket-themed phishing domains and Salesforce credential-harvesting pages. \r\nWorkday said it has informed customers and partners about the incident with its vendor and has taken additional\r\nsecurity measures to prevent a similar incident from happening again. \r\nThe company emphasized that it never contacts anyone by phone to request passwords or other personal\r\ninformation.\r\nSource: https://www.cybersecuritydive.com/news/hackers-target-workday-in-social-engineering-attack/758095/#:~:text=Researchers%20cite%\r\n20increasing%20evidence%20of,told%20Cybersecurity%20Dive%20via%20email.\r\nhttps://www.cybersecuritydive.com/news/hackers-target-workday-in-social-engineering-attack/758095/#:~:text=Researchers%20cite%20increasing%20evidence%20of,told%20Cybersecurity%20Dive%20via%20email.\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.cybersecuritydive.com/news/hackers-target-workday-in-social-engineering-attack/758095/#:~:text=Researchers%20cite%20increasing%20evidence%20of,told%20Cybersecurity%20Dive%20via%20email." ], "report_names": [ "#:~:text=Researchers%20cite%20increasing%20evidence%20of,told%20Cybersecurity%20Dive%20via%20email." ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-29T06:58:58.007866Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c071c8cd-f854-4bad-b28f-0c59346ec348", "created_at": "2023-11-08T02:00:07.132524Z", "updated_at": "2026-04-29T06:58:56.647929Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "MISPGALAXY:ShinyHunters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2", "created_at": "2025-10-24T02:04:50.086223Z", "updated_at": "2026-04-29T06:58:57.587988Z", "deleted_at": null, "main_name": "GOLD CRYSTAL", "aliases": [ "Scattered LAPSUS$ Hunters", "ShinyCorp", "ShinyHunters" ], "source_name": "Secureworks:GOLD CRYSTAL", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-29T06:58:57.795751Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-29T06:58:56.587412Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scatter Swine", "Storm-0971", "Starfraud", "Muddled Libra", "Oktapus", "Octo Tempest", "0ktapus", "DEV-0971", "UNC3944", "Scattered Swine" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-29T06:58:57.746126Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-29T06:58:57.516698Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "d8dff631-87b0-4320-8352-becff28dbcf1", "created_at": "2022-10-25T16:07:24.565038Z", "updated_at": "2026-04-29T06:58:58.337954Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "ETDA:ShinyHunters", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1777429230, "ts_updated_at": 1777450876, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/662a514c4800847a122d8f80b44eaf909e5f870a.pdf", "text": "https://archive.orkl.eu/662a514c4800847a122d8f80b44eaf909e5f870a.txt", "img": "https://archive.orkl.eu/662a514c4800847a122d8f80b44eaf909e5f870a.jpg" } }