Workday
Company Details
Linkedin ID:
workday
Website:
Employees number:
25,257
Number of followers:
1,260,364
NAICS:
5112
Industry Type:
Homepage:
workday.com
IP Addresses:
0
Company ID:
WOR_2352830
Scan Status:
In-progress
Workday Company CyberSecurity Posture
workday.com
Workday is a leading provider of enterprise cloud applications for finance and human resources, helping customers adapt and thrive in a changing world. Workday applications for financial management, human resources, planning, spend management, and analytics are built with artificial intelligence and machine learning at the core to help organizations around the world embrace the future of work. Workday is used by more than 10,000 organizations around the world and across industries – from medium-sized businesses to more than 50% of the Fortune 500.
Workday A.I CyberSecurity Scoring
Workday Risk Score (AI oriented)Between 700 and 749
Workday
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
Workday Global Score (TPRM)XXXX
Workday
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Workday Company CyberSecurity News & History
Past Incidents
2
Attack Types
1
Workday
Breach
Rankiteo Explanation
Attack limited on finance or reputation
Description: Workday, a provider of enterprise cloud applications for finance and HR, confirmed it was targeted by a **sophisticated social engineering campaign** via a third-party CRM platform. Threat actors used impersonation tactics (phone calls/texts posing as HR/IT) to deceive employees into surrendering credentials, leading to unauthorized access to the CRM system. The breach exposed **business contact information** (names, emails, phone numbers)—data commonly available but used to fuel further scams. Workday clarified that **no customer data, proprietary systems, or tenant environments were compromised**. The company terminated the unauthorized access, reinforced security measures, and emphasized employee training to mitigate future risks. The incident underscores the vulnerability of third-party vendors and human error in cybersecurity defenses.
Workday
Breach
Rankiteo Explanation
Attack with significant impact with internal employee data leaks
Description: Workday confirmed a security breach stemming from a compromise of **Salesloft’s Drift application**, which granted unauthorized access to **customer-facing metadata** within its **Salesforce environment**. The threat actor exploited stolen **OAuth credentials** from Drift to execute targeted search queries in Workday’s Salesforce tenant, exposing non-sensitive data such as **business contact details, support case IDs, tenant attributes (name, data center location), product/service listings, training enrollments, and event logs**. No **file attachments, contracts, financial documents, or sensitive credentials** (e.g., passwords, tokens) were accessed, though Workday is auditing historical case notes for inadvertent disclosures. The attack was **contained to the Salesforce layer** via Drift, with no direct compromise of Workday’s core platform. Customers were advised to **rotate credentials, enforce MFA, and monitor for phishing risks**. The incident highlights third-party integration vulnerabilities and the importance of **OAuth security and access controls** in cloud ecosystems.
Workday Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for Workday
Incidents vs Software Development Industry Average (This Year)
Workday has 244.83% more incidents than the average of same-industry companies with at least one recorded incident.
Incidents vs All-Companies Average (This Year)
Workday has 159.74% more incidents than the average of all companies with at least one recorded incident.
Incident Types Workday vs Software Development Industry Avg (This Year)
Workday reported 2 incidents this year: 0 cyber attacks, 0 ransomware, 0 vulnerabilities, 2 data breaches, compared to industry peers with at least 1 incident.
Incident History — Workday (X = Date, Y = Severity)
Workday cyber incidents detection timeline including parent company and subsidiaries
Workday Company Subsidiaries
Workday is a leading provider of enterprise cloud applications for finance and human resources, helping customers adapt and thrive in a changing world. Workday applications for financial management, human resources, planning, spend management, and analytics are built with artificial intelligence and machine learning at the core to help organizations around the world embrace the future of work. Workday is used by more than 10,000 organizations around the world and across industries – from medium-sized businesses to more than 50% of the Fortune 500.
Loading...
Workday Similar Companies
The Facebook company is now Meta. Meta builds technologies that help people connect, find communities, and grow businesses. When Facebook launched in 2004, it changed the way people connect. Apps like Messenger, Instagram and WhatsApp further empowered billions around the world. Now, Meta is moving
SS&C is a leading global provider of mission-critical, cloud-based software and solutions for the financial and healthcare industries. Named to the Fortune 1000 list as a top U.S. company based on revenue, SS&C (NASDAQ: SSNC) is a trusted provider to more than 20,000 financial services and healthcar
A problem isn't truly solved until it's solved for all. Googlers build products that help create opportunities for everyone, whether down the street or across the globe. Bring your insight, imagination and a healthy disregard for the impossible. Bring everything that makes you unique. Together, we c
Autodesk is changing how the world is designed and made. Our technology spans architecture, engineering, construction, product design, manufacturing, and media and entertainment. We empower innovators everywhere to solve challenges, big and small. From greener buildings to smarter products and mo
Instacart, the leading grocery technology company in North America, works with grocers and retailers to transform how people shop. The company partners with more than 1,500 national, regional, and local retail banners to facilitate online shopping, delivery and pickup services from more than 85,000
TOTVS
Olá, somos a TOTVS! A maior empresa de tecnologia do Brasil. 🤓 Líder absoluta em sistemas e plataformas para empresas, a TOTVS possui mais de 70 mil clientes. Indo muito além do ERP, oferece tecnologia completa para digitalização dos negócios por meio de 3 unidades de negócio: - Gestão: ERPs, sol
Meituan
Adhering to the ‘Retail + Technology’ strategy, Meituan commits to its mission that 'We help people eat better, live better'. Since its establishment in March 2010, Meituan has advanced the digital upgrading of services and goods retail on both supply and demand sides. Together with our partners we
HubSpot
HubSpot is a leading CRM platform that provides software and support to help businesses grow better. Our platform includes marketing, sales, service, and website management products that start free and scale to meet our customers’ needs at any stage of growth. Today, thousands of customers around th
Bosch USA
The Bosch Group’s strategic objective is to create solutions for a connected life. Bosch improves quality of life worldwide with innovative products and services that are "Invented for life" and spark enthusiasm. Podcast: http://bit.ly/beyondbosch Imprint: https://www.bosch.us/corporate-informatio
.png)
Workday CyberSecurity News
November 24, 2025 08:00 AM
NC school district closed Tuesday due to cybersecurity issue
Jackson County Public Schools, in western North Carolina, said classes are canceled on Tuesday due to a cybersecurity issue.
October 29, 2025 07:00 AM
Infosys, Workday to modernise Metro Bank’s finance ops with cloud-native platform
India's second-largest IT services firm, Infosys, on Wednesday, announced a strategic collaboration with Metro Bank, one of the UK's leading...
October 17, 2025 07:00 AM
Workday Announces New AI Centre of Excellence in Dublin to Accelerate European Innovation
Workday, Inc. (NASDAQ: WDAY), the enterprise AI platform for managing people, money, and agents, today announced a new AI Centre of...
October 16, 2025 02:00 PM
Workday To Invest €175M in Dublin AI Centre of Excellence, Adding 200 Jobs - Irish Tech News
Workday, Inc. (NASDAQ: WDAY), the enterprise AI platform for managing people, money, and agents, today announced a three-year €175 million...
October 16, 2025 07:00 AM
Hackers Hijack U.S. University Payrolls Using Workday Accounts, Microsoft Warns
Microsoft warns of a cybercrime group hijacking U.S. university payrolls exploiting weak MFA and phishing staff credentials.
October 15, 2025 07:00 AM
Workday’s Jen Schreiber: Securing the essence of identity
Schreiber's most significant contributions have been to open standards in the area of real-time cybersecurity.
October 15, 2025 07:00 AM
“Payroll Pirate” Social Engineering Attacks on Workday Divert Employees’ Wages
Microsoft warns of social engineering attacks dubbed “payroll pirates” resulting in lost wages after hackers divert employees' earnings to...
October 15, 2025 07:00 AM
Workday sets up new AI Centre of Excellence in Dublin
Workday, global enterprise AI platform, plans to set up a new AI Centre of Excellence in Dublin, Ireland - investing EUR 175 million and...
October 15, 2025 07:00 AM
Future Professions You Need to Skill Up For
The world of work is changing fast—learn the trends and skills you need to know to stay prepared in your career.
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
Workday CyberSecurity History Information
Official Website of Workday
The official website of Workday is http://www.workday.com.
Workday’s AI-Generated Cybersecurity Score
According to Rankiteo, Workday’s AI-generated cybersecurity score is 739, reflecting their Moderate security posture.
How many security badges does Workday’ have ?
According to Rankiteo, Workday currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does Workday have SOC 2 Type 1 certification ?
According to Rankiteo, Workday is not certified under SOC 2 Type 1.
Does Workday have SOC 2 Type 2 certification ?
According to Rankiteo, Workday does not hold a SOC 2 Type 2 certification.
Does Workday comply with GDPR ?
According to Rankiteo, Workday is not listed as GDPR compliant.
Does Workday have PCI DSS certification ?
According to Rankiteo, Workday does not currently maintain PCI DSS compliance.
Does Workday comply with HIPAA ?
According to Rankiteo, Workday is not compliant with HIPAA regulations.
Does Workday have ISO 27001 certification ?
According to Rankiteo,Workday is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Workday
Workday operates primarily in the Software Development industry.
Number of Employees at Workday
Workday employs approximately 25,257 people worldwide.
Subsidiaries Owned by Workday
Workday presently has no subsidiaries across any sectors.
Workday’s LinkedIn Followers
Workday’s official LinkedIn profile has approximately 1,260,364 followers.
NAICS Classification of Workday
Workday is classified under the NAICS code 5112, which corresponds to Software Publishers.
Workday’s Presence on Crunchbase
Yes, Workday has an official profile on Crunchbase, which can be accessed here: https://www.crunchbase.com/organization/workday.
Workday’s Presence on LinkedIn
Yes, Workday maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/workday.
Cybersecurity Incidents Involving Workday
As of December 11, 2025, Rankiteo reports that Workday has experienced 2 cybersecurity incidents.
Number of Peer and Competitor Companies
Workday has an estimated 27,532 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Workday ?
Incident Types: The types of cybersecurity incidents that have occurred include Breach.
How does Workday detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an containment measures with terminated unauthorized access to third-party crm, and remediation measures with enhanced security awareness training, remediation measures with additional security controls, and communication strategy with public disclosure, communication strategy with customer reassurance via trusted channels, communication strategy with security awareness reinforcement, and and and third party assistance with independent forensic firm (unnamed), third party assistance with collaboration with salesloft, and containment measures with disabled drift connector, containment measures with revoked all associated oauth tokens, containment measures with removed residual integrations, and remediation measures with full audit of historical case text for credential disclosures, remediation measures with customer notifications for credential rotation, and communication strategy with direct customer notifications, communication strategy with public advisory via workday and salesloft trust portals, communication strategy with detailed mfa/step-up authentication guidance, and enhanced monitoring with user activity logs for unusual behavior (recommended to customers)..
Incident Details
Can you provide details on each incident ?
Title: Workday Social Engineering Campaign Leading to Third-Party CRM Data Breach
Description: Workday, a leading provider of enterprise cloud applications for finance and human resources, confirmed it was targeted by a sophisticated social engineering campaign. The attack resulted in unauthorized access to a third-party Customer Relationship Management (CRM) platform, exposing commonly available business contact information (e.g., names, email addresses, phone numbers). The incident did not compromise Workday’s core systems, customer data, or tenant environments. Threat actors impersonated HR/IT personnel via text messages or phone calls to deceive employees into surrendering credentials. Workday terminated the unauthorized access, reinforced security awareness, and implemented additional protective measures.
Type: Social Engineering
Attack Vector: Phishing (SMS/Phone Calls)Impersonation (HR/IT Personnel)Credential Harvesting
Vulnerability Exploited: Human Error (Lack of Awareness/Training)
Motivation: Data Theft for Further Social EngineeringCredential Harvesting
Title: Unauthorized Access to Workday’s Salesforce Environment via Compromised Drift Application
Description: Workday confirmed that a compromise of Salesloft’s Drift application led to unauthorized access to customer-facing data and basic case information within its Salesforce environment. The threat actor exploited Drift’s OAuth credentials to perform targeted search queries in Workday’s Salesforce tenant. Exposed data included non-sensitive metadata such as business contact details, support case identifiers, tenant attributes, product listings, training enrollments, and event logs. No file attachments, contracts, or sensitive documents were accessed. Workday disabled the Drift connector, revoked OAuth tokens, and engaged a forensic firm for investigation. Customers were advised to rotate credentials and enforce multi-factor authentication (MFA).
Date Publicly Disclosed: 2024-08-26
Type: Data Breach
Attack Vector: Compromised Third-Party Application (Drift)OAuth Credential AbuseTargeted Search Queries in Salesforce
Vulnerability Exploited: Weak OAuth Credential Security in DriftLack of Multi-Factor Authentication (MFA) for Third-Party Integrations
Threat Actor: Sophisticated Threat Actor (unknown affiliation)
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Breach.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Third-Party CRM Platform (via Compromised Employee Credentials) and Compromised OAuth credentials in Salesloft’s Drift application.
Impact of the Incidents
What was the impact of each incident ?
Incident : Social Engineering WOR411081825
Data Compromised: Business contact information (names, email addresses, phone numbers)
Systems Affected: Third-Party CRM Platform
Operational Impact: Minimal (No Core Systems or Customer Data Affected)
Brand Reputation Impact: Potential Erosion of Trust (Mitigated by Transparent Disclosure)
Identity Theft Risk: Low (Limited to Business Contact Info)
Incident : Data Breach WOR1132611091025
Data Compromised: Business contact details, Support case identifiers, Tenant attributes (name, data center location), Product and service listings, Training course enrollments with certificates, Event logs
Systems Affected: Workday’s Salesforce tenant (via Drift integration)
Operational Impact: Forensic investigationCredential rotation for affected customersAudit of historical case text for inadvertent disclosures
Brand Reputation Impact: Potential erosion of trust due to third-party vulnerabilityProactive customer notifications and advisory issuance
Identity Theft Risk: ['Low (no PII or sensitive credentials confirmed exposed)']
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Business Contact Information, , Non-Sensitive Metadata, Business Operational Data and .
Which entities were affected by each incident ?
Incident : Social Engineering WOR411081825
Entity Name: Workday, Inc.
Entity Type: Corporation
Industry: Enterprise Cloud Applications, Finance, Human Resources
Location: Pleasanton, California, USA
Size: Large (Enterprise-Level)
Customers Affected: None (Customer Data/Tenants Unaffected)
Incident : Data Breach WOR1132611091025
Entity Name: Workday
Entity Type: Enterprise Software Provider
Industry: Human Capital Management (HCM) and Financial Management
Location: Global (HQ: Pleasanton, California, USA)
Size: Large (10,000+ employees)
Customers Affected: Customers who shared credentials via Salesforce cases (exact number unspecified)
Incident : Data Breach WOR1132611091025
Entity Name: Salesloft (Drift application provider)
Entity Type: Third-Party Vendor
Industry: Sales Engagement and Conversational Marketing
Location: Global (HQ: Atlanta, Georgia, USA)
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Social Engineering WOR411081825
Incident Response Plan Activated: True
Containment Measures: Terminated Unauthorized Access to Third-Party CRM
Remediation Measures: Enhanced Security Awareness TrainingAdditional Security Controls
Communication Strategy: Public DisclosureCustomer Reassurance via Trusted ChannelsSecurity Awareness Reinforcement
Incident : Data Breach WOR1132611091025
Incident Response Plan Activated: True
Third Party Assistance: Independent Forensic Firm (Unnamed), Collaboration With Salesloft.
Containment Measures: Disabled Drift connectorRevoked all associated OAuth tokensRemoved residual integrations
Remediation Measures: Full audit of historical case text for credential disclosuresCustomer notifications for credential rotation
Communication Strategy: Direct customer notificationsPublic advisory via Workday and Salesloft trust portalsDetailed MFA/step-up authentication guidance
Enhanced Monitoring: User activity logs for unusual behavior (recommended to customers)
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through Independent forensic firm (unnamed), Collaboration with Salesloft, .
Data Breach Information
What type of data was compromised in each breach ?
Incident : Social Engineering WOR411081825
Type of Data Compromised: Business contact information
Sensitivity of Data: Low (Publicly Available or Easily Obtainable)
Personally Identifiable Information: NamesEmail AddressesPhone Numbers
Incident : Data Breach WOR1132611091025
Type of Data Compromised: Non-sensitive metadata, Business operational data
Sensitivity of Data: Low (no PII, financial data, or sensitive documents)
File Types Exposed: Text-based case notesEvent logsTraining enrollment records
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Enhanced Security Awareness Training, Additional Security Controls, , Full audit of historical case text for credential disclosures, Customer notifications for credential rotation, .
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by terminated unauthorized access to third-party crm, , disabled drift connector, revoked all associated oauth tokens, removed residual integrations and .
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Social Engineering WOR411081825
Lessons Learned: Human element remains a critical vulnerability in cybersecurity., Third-party vendors can serve as attack vectors for breaching primary targets., Social engineering tactics (e.g., impersonation via phone/SMS) are increasingly sophisticated., Proactive employee training and awareness are essential to mitigate phishing risks.
Incident : Data Breach WOR1132611091025
Lessons Learned: Third-party integrations (e.g., OAuth-based apps) introduce significant risk vectors., Proactive monitoring of anomalous activity in SaaS environments is critical., Regular audits of case text and support logs can mitigate inadvertent credential exposure., Multi-factor authentication (MFA) and step-up authentication are essential for high-privilege operations.
What recommendations were made to prevent future incidents ?
Incident : Social Engineering WOR411081825
Recommendations: Enhance employee training programs to recognize and report social engineering attempts (e.g., phishing, impersonation)., Implement multi-factor authentication (MFA) for all critical systems, including third-party platforms., Regularly audit third-party vendor security practices and access controls., Reinforce communication policies (e.g., never request passwords via phone/SMS)., Monitor dark web/underground forums for signs of stolen credentials or exposed data., Adopt behavioral analytics to detect anomalous access patterns in real-time.Enhance employee training programs to recognize and report social engineering attempts (e.g., phishing, impersonation)., Implement multi-factor authentication (MFA) for all critical systems, including third-party platforms., Regularly audit third-party vendor security practices and access controls., Reinforce communication policies (e.g., never request passwords via phone/SMS)., Monitor dark web/underground forums for signs of stolen credentials or exposed data., Adopt behavioral analytics to detect anomalous access patterns in real-time.Enhance employee training programs to recognize and report social engineering attempts (e.g., phishing, impersonation)., Implement multi-factor authentication (MFA) for all critical systems, including third-party platforms., Regularly audit third-party vendor security practices and access controls., Reinforce communication policies (e.g., never request passwords via phone/SMS)., Monitor dark web/underground forums for signs of stolen credentials or exposed data., Adopt behavioral analytics to detect anomalous access patterns in real-time.Enhance employee training programs to recognize and report social engineering attempts (e.g., phishing, impersonation)., Implement multi-factor authentication (MFA) for all critical systems, including third-party platforms., Regularly audit third-party vendor security practices and access controls., Reinforce communication policies (e.g., never request passwords via phone/SMS)., Monitor dark web/underground forums for signs of stolen credentials or exposed data., Adopt behavioral analytics to detect anomalous access patterns in real-time.Enhance employee training programs to recognize and report social engineering attempts (e.g., phishing, impersonation)., Implement multi-factor authentication (MFA) for all critical systems, including third-party platforms., Regularly audit third-party vendor security practices and access controls., Reinforce communication policies (e.g., never request passwords via phone/SMS)., Monitor dark web/underground forums for signs of stolen credentials or exposed data., Adopt behavioral analytics to detect anomalous access patterns in real-time.Enhance employee training programs to recognize and report social engineering attempts (e.g., phishing, impersonation)., Implement multi-factor authentication (MFA) for all critical systems, including third-party platforms., Regularly audit third-party vendor security practices and access controls., Reinforce communication policies (e.g., never request passwords via phone/SMS)., Monitor dark web/underground forums for signs of stolen credentials or exposed data., Adopt behavioral analytics to detect anomalous access patterns in real-time.
Incident : Data Breach WOR1132611091025
Recommendations: Rotate all credentials shared via Salesforce cases., Enforce MFA across all user accounts, especially for third-party integrations., Implement step-up authentication for high-privilege operations., Conduct phishing awareness training and simulated assessments., Monitor user activity logs for unusual behavior., Verify independent impact assessments for direct Drift customers., Follow Salesloft’s supplemental security guidance for Drift ecosystem hardening.Rotate all credentials shared via Salesforce cases., Enforce MFA across all user accounts, especially for third-party integrations., Implement step-up authentication for high-privilege operations., Conduct phishing awareness training and simulated assessments., Monitor user activity logs for unusual behavior., Verify independent impact assessments for direct Drift customers., Follow Salesloft’s supplemental security guidance for Drift ecosystem hardening.Rotate all credentials shared via Salesforce cases., Enforce MFA across all user accounts, especially for third-party integrations., Implement step-up authentication for high-privilege operations., Conduct phishing awareness training and simulated assessments., Monitor user activity logs for unusual behavior., Verify independent impact assessments for direct Drift customers., Follow Salesloft’s supplemental security guidance for Drift ecosystem hardening.Rotate all credentials shared via Salesforce cases., Enforce MFA across all user accounts, especially for third-party integrations., Implement step-up authentication for high-privilege operations., Conduct phishing awareness training and simulated assessments., Monitor user activity logs for unusual behavior., Verify independent impact assessments for direct Drift customers., Follow Salesloft’s supplemental security guidance for Drift ecosystem hardening.Rotate all credentials shared via Salesforce cases., Enforce MFA across all user accounts, especially for third-party integrations., Implement step-up authentication for high-privilege operations., Conduct phishing awareness training and simulated assessments., Monitor user activity logs for unusual behavior., Verify independent impact assessments for direct Drift customers., Follow Salesloft’s supplemental security guidance for Drift ecosystem hardening.Rotate all credentials shared via Salesforce cases., Enforce MFA across all user accounts, especially for third-party integrations., Implement step-up authentication for high-privilege operations., Conduct phishing awareness training and simulated assessments., Monitor user activity logs for unusual behavior., Verify independent impact assessments for direct Drift customers., Follow Salesloft’s supplemental security guidance for Drift ecosystem hardening.Rotate all credentials shared via Salesforce cases., Enforce MFA across all user accounts, especially for third-party integrations., Implement step-up authentication for high-privilege operations., Conduct phishing awareness training and simulated assessments., Monitor user activity logs for unusual behavior., Verify independent impact assessments for direct Drift customers., Follow Salesloft’s supplemental security guidance for Drift ecosystem hardening.
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are Human element remains a critical vulnerability in cybersecurity.,Third-party vendors can serve as attack vectors for breaching primary targets.,Social engineering tactics (e.g., impersonation via phone/SMS) are increasingly sophisticated.,Proactive employee training and awareness are essential to mitigate phishing risks.Third-party integrations (e.g., OAuth-based apps) introduce significant risk vectors.,Proactive monitoring of anomalous activity in SaaS environments is critical.,Regular audits of case text and support logs can mitigate inadvertent credential exposure.,Multi-factor authentication (MFA) and step-up authentication are essential for high-privilege operations.
References
Where can I find more information about each incident ?
Incident : Social Engineering WOR411081825
Source: Workday Official Statement
URL: https://www.workday.com/en-us/company/trust/security-trust.html
Incident : Data Breach WOR1132611091025
Source: Workday Security Advisory
Incident : Data Breach WOR1132611091025
Source: Salesloft Trust Portal Update (August 26, 2024)
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Workday Official StatementUrl: https://www.workday.com/en-us/company/trust/security-trust.html, and Source: Workday Security Advisory, and Source: Salesloft Trust Portal Update (August 26, 2024).
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Social Engineering WOR411081825
Investigation Status: Resolved (Unauthorized Access Terminated; Additional Security Measures Implemented)
Incident : Data Breach WOR1132611091025
Investigation Status: Ongoing (forensic analysis and customer audits in progress)
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Public Disclosure, Customer Reassurance Via Trusted Channels, Security Awareness Reinforcement, Direct Customer Notifications, Public Advisory Via Workday And Salesloft Trust Portals and Detailed Mfa/Step-Up Authentication Guidance.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Social Engineering WOR411081825
Stakeholder Advisories: Workday Reassured Customers That No Proprietary Data Or Tenant Environments Were Compromised., Emphasized The Importance Of Verifying Communication Channels Before Sharing Sensitive Information..
Customer Advisories: Customers were directed to Workday’s Security and Trust webpage for updates.Reminder: Workday will never request passwords or secure details via phone.
Incident : Data Breach WOR1132611091025
Stakeholder Advisories: Direct Notifications To Affected Customers, Public Guidance On Mfa And Credential Rotation.
Customer Advisories: Rotate credentials transmitted via Salesforce cases.Audit historical case text for sensitive data.Enforce MFA and step-up authentication.Review Drift integration configurations (if applicable).
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Workday Reassured Customers That No Proprietary Data Or Tenant Environments Were Compromised., Emphasized The Importance Of Verifying Communication Channels Before Sharing Sensitive Information., Customers Were Directed To Workday’S Security And Trust Webpage For Updates., Reminder: Workday Will Never Request Passwords Or Secure Details Via Phone., , Direct Notifications To Affected Customers, Public Guidance On Mfa And Credential Rotation, Rotate Credentials Transmitted Via Salesforce Cases., Audit Historical Case Text For Sensitive Data., Enforce Mfa And Step-Up Authentication., Review Drift Integration Configurations (If Applicable). and .
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Social Engineering WOR411081825
Entry Point: Third-Party CRM Platform (via Compromised Employee Credentials)
High Value Targets: Employee Credentials, Business Contact Information,
Data Sold on Dark Web: Employee Credentials, Business Contact Information,
Incident : Data Breach WOR1132611091025
Entry Point: Compromised OAuth credentials in Salesloft’s Drift application
High Value Targets: Workday’S Salesforce Tenant, Customer Support Case Data,
Data Sold on Dark Web: Workday’S Salesforce Tenant, Customer Support Case Data,
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Social Engineering WOR411081825
Root Causes: Successful Social Engineering Attack Exploiting Human Trust., Inadequate Verification Of Unsolicited Communication (Phone/Sms)., Potential Gaps In Third-Party Vendor Security Controls.,
Corrective Actions: Terminated Unauthorized Access To The Crm System., Enhanced Employee Training On Social Engineering Tactics., Implemented Additional Security Measures (Details Undisclosed)., Reinforced Communication Policies To Prevent Credential Harvesting.,
Incident : Data Breach WOR1132611091025
Root Causes: Insufficient Protection Of Drift’S Oauth Credentials By Salesloft., Lack Of Granular Access Controls For Third-Party Integrations In Salesforce., Potential Over-Reliance On Single-Factor Authentication For High-Risk Operations.,
Corrective Actions: Disabling Vulnerable Drift Connector And Revoking Oauth Tokens., Engaging Forensic Firm For Comprehensive System Review., Issuing Customer Advisories For Credential Rotation And Mfa Enforcement., Publishing Detailed Guidance For Authentication Hardening.,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Independent Forensic Firm (Unnamed), Collaboration With Salesloft, , User Activity Logs For Unusual Behavior (Recommended To Customers), .
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Terminated Unauthorized Access To The Crm System., Enhanced Employee Training On Social Engineering Tactics., Implemented Additional Security Measures (Details Undisclosed)., Reinforced Communication Policies To Prevent Credential Harvesting., , Disabling Vulnerable Drift Connector And Revoking Oauth Tokens., Engaging Forensic Firm For Comprehensive System Review., Issuing Customer Advisories For Credential Rotation And Mfa Enforcement., Publishing Detailed Guidance For Authentication Hardening., .
Additional Questions
General Information
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident was an Sophisticated Threat Actor (unknown affiliation).
Incident Details
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2024-08-26.
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were Business Contact Information (Names, Email Addresses, Phone Numbers), , Business contact details, Support case identifiers, Tenant attributes (name, data center location), Product and service listings, Training course enrollments with certificates, Event logs and .
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident was Third-Party CRM Platform and Workday’s Salesforce tenant (via Drift integration).
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was independent forensic firm (unnamed), collaboration with salesloft, .
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Terminated Unauthorized Access to Third-Party CRM and Disabled Drift connectorRevoked all associated OAuth tokensRemoved residual integrations.
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Business contact details, Product and service listings, Event logs, Support case identifiers, Tenant attributes (name, data center location), Business Contact Information (Names, Email Addresses, Phone Numbers) and Training course enrollments with certificates.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Multi-factor authentication (MFA) and step-up authentication are essential for high-privilege operations.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Rotate all credentials shared via Salesforce cases., Implement step-up authentication for high-privilege operations., Conduct phishing awareness training and simulated assessments., Adopt behavioral analytics to detect anomalous access patterns in real-time., Follow Salesloft’s supplemental security guidance for Drift ecosystem hardening., Reinforce communication policies (e.g., never request passwords via phone/SMS)., Enhance employee training programs to recognize and report social engineering attempts (e.g., phishing, impersonation)., Monitor user activity logs for unusual behavior., Regularly audit third-party vendor security practices and access controls., Enforce MFA across all user accounts, especially for third-party integrations., Implement multi-factor authentication (MFA) for all critical systems, including third-party platforms., Verify independent impact assessments for direct Drift customers. and Monitor dark web/underground forums for signs of stolen credentials or exposed data..
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are Workday Security Advisory, Workday Official Statement, Salesloft Trust Portal Update (August 26 and 2024).
What is the most recent URL for additional resources on cybersecurity best practices ?
Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.workday.com/en-us/company/trust/security-trust.html .
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Resolved (Unauthorized Access Terminated; Additional Security Measures Implemented).
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Workday reassured customers that no proprietary data or tenant environments were compromised., Emphasized the importance of verifying communication channels before sharing sensitive information., Direct notifications to affected customers, Public guidance on MFA and credential rotation, .
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued were an Customers were directed to Workday’s Security and Trust webpage for updates.Reminder: Workday will never request passwords or secure details via phone. and Rotate credentials transmitted via Salesforce cases.Audit historical case text for sensitive data.Enforce MFA and step-up authentication.Review Drift integration configurations (if applicable).
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker were an Compromised OAuth credentials in Salesloft’s Drift application and Third-Party CRM Platform (via Compromised Employee Credentials).
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Successful social engineering attack exploiting human trust.Inadequate verification of unsolicited communication (phone/SMS).Potential gaps in third-party vendor security controls., Insufficient protection of Drift’s OAuth credentials by Salesloft.Lack of granular access controls for third-party integrations in Salesforce.Potential over-reliance on single-factor authentication for high-risk operations..
What was the most significant corrective action taken based on post-incident analysis ?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Terminated unauthorized access to the CRM system.Enhanced employee training on social engineering tactics.Implemented additional security measures (details undisclosed).Reinforced communication policies to prevent credential harvesting., Disabling vulnerable Drift connector and revoking OAuth tokens.Engaging forensic firm for comprehensive system review.Issuing customer advisories for credential rotation and MFA enforcement.Publishing detailed guidance for authentication hardening..
.png)
Latest Global CVEs (Not Company-Specific)
Description
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions prior to 16.0.96 and 17.0.1 through 17.0.9 have a weak default password. By default, this is a 6 digit numeric value which can be brute forced. (This is the app_password parameter). Depending on local configuration, this password could be the extension, voicemail, user manager, DPMA or EPM phone admin password. This issue is fixed in versions 16.0.96 and 17.0.10.
Risk Information
cvss4
Base: 6.9
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Neuron is a PHP framework for creating and orchestrating AI Agents. In versions 2.8.11 and below, the MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare() + execute() without semantic restrictions. This is consistent with the name (“write tool”), but in an LLM/agent context it becomes a high-risk capability: prompt injection or indirect prompt manipulation can cause execution of destructive queries such as DROP TABLE, TRUNCATE, DELETE, ALTER, or privilege-related statements (subject to DB permissions). Deployments that expose an agent with MySQLWriteTool enabled to untrusted input and/or run the tool with a DB user that has broad privileges are impacted. This issue is fixed in version 2.8.12.
Risk Information
cvss3
Base: 9.4
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
Description
Neuron is a PHP framework for creating and orchestrating AI Agents. Versions 2.8.11 and below use MySQLSelectTool, which is vulnerable to Read-Only Bypass. MySQLSelectTool is intended to be a read-only SQL tool (e.g., for LLM agent querying, however, validation based on the first keyword (e.g., SELECT) and a forbidden-keyword list does not block file-writing constructs such as INTO OUTFILE / INTO DUMPFILE. As a result, an attacker who can influence the tool input (e.g., via prompt injection through a public agent endpoint) may write arbitrary files to the DB server if the MySQL/MariaDB account has the FILE privilege and server configuration permits writes to a useful location (e.g., a web-accessible directory). This issue is fixed in version 2.8.12.
Risk Information
cvss3
Base: 8.2
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Description
Okta Java Management SDK facilitates interactions with the Okta management API. In versions 11.0.0 through 20.0.0, race conditions may arise from concurrent requests using the ApiClient class. This could cause a status code or response header from one request’s response to influence another request’s response. This issue is fixed in version 20.0.1.
Risk Information
cvss3
Base: 8.4
Severity: HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
Description
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. When using versions 4.11.0 through 4.11.2 and 4.12.0, simultaneous requests on the same client may result in improper lookups in the TokenRequestCache for the request results. This issue is fixed in versions 4.11.2 and 4.12.1.
Risk Information
cvss3
Base: 5.4
Severity: HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=workday' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
