Workday Data Breach Linked to Recent Salesforce Attacks
In August 2025, Workday, a major human resources software provider, disclosed a security breach tied to a wave of sophisticated attacks leveraging vulnerabilities in Salesforce CRM systems. The incident highlights evolving risks posed by social engineering and third-party integration exposure, with evidence connecting these attacks to the notorious ShinyHunters threat actor group.
Incident Overview and Attack Vector
The breach was first identified on August 6, 2025, and involved unauthorized access to business contact information including names, email addresses, and phone numbers. Notably, Workday emphasized that customer tenants and internal HR data were not compromised, as the attackers targeted a third-party CRM platform used by the company rather than Workday’s primary systems.
The attack leveraged deceptive social engineering tactics. Threat actors impersonated trusted HR or IT staff via phone or text, tricking employees into approving malicious OAuth applications within Salesforce. Once authorized, these rogue applications allowed attackers to scrape and extract sensitive CRM data—launching a successful supply chain attack by exploiting integration points rather than direct vulnerabilities in Workday itself.
ShinyHunters and Their Broader Campaign
While Workday did not specifically attribute responsibility, security researchers independently linked the breach to the ShinyHunters group. This actor has become infamous for a spate of recent attacks against high-profile brands such as Google, Adidas, Qantas, Allianz Life, Dior, and Chanel. The group routinely abuses OAuth permissions to infiltrate organizations’ Salesforce platforms, steal large volumes of CRM data, and subsequently threaten victims with extortion or sell stolen data on underground forums.
Exposure Scope and Ongoing Threats
Workday reported that only basic contact information was compromised, downplaying the sensitivity of the disclosed data. Nonetheless, cybersecurity experts warn that even seemingly innocuous business data can be weaponized for highly targeted spear-phishing or future social engineering campaigns. The growing frequency and success of such attacks underscore the necessity of stronger employee awareness, zero-trust access controls, and vigilant monitoring of third-party integrations.
Windows 11 24H2 Security Update Triggers Storage Failures and Data Loss
Microsoft’s August 2025 Patch Tuesday brought serious operational risks for Windows 11 users, as the 24H2 security update (KB5063878) has been linked to critical failures involving SSD and HDD drives. Users report major malfunctions including missing drives and file corruption, with the issues directly tied to attempts to address a widely circulated malware threat.
Technical Analysis of the Update and Resulting Issues
KB5063878 aimed to reinforce Windows Defender’s ability to detect and neutralize the Lamma stealer malware, which has targeted systems via manipulated Windows ISO images. While the patch corrected an installation error (code 0x80240069), it introduced a new set of crippling problems: after installation, storage devices may disappear from the operating system, and heavy write activity—such as during large game updates—can corrupt files or render drives inaccessible.
Impact and Response Measures
Many reports show failures are most common during intensive disk operations, for example, while patching or updating large games such as Cyberpunk 2077. As of August 2025, Microsoft had not yet provided a definitive resolution for drive recognition or file corruption bugs triggered by the update. Security professionals advise organizations to avoid deploying KB5063878 until a stable fix emerges, reinforce backup regimens, and avoid high-risk disk operations on affected systems.
Malware Context: Lamma Stealer
The problematic update’s original intent was to curb Lamma stealer, a strain capable of infiltrating systems through malicious Windows ISO files. Its payload can extract credentials, harvest sensitive data, and propagate within enterprise environments, emphasizing the complex trade-offs between patch speed and thorough regression testing.