Workday
Company Details
Linkedin ID:
workday
Website:
Employees number:
25,257
Number of followers:
1,260,364
NAICS:
5112
Industry Type:
Homepage:
workday.com
IP Addresses:
0
Company ID:
WOR_2352830
Scan Status:
In-progress
Workday Company CyberSecurity Posture
workday.com
Workday is a leading provider of enterprise cloud applications for finance and human resources, helping customers adapt and thrive in a changing world. Workday applications for financial management, human resources, planning, spend management, and analytics are built with artificial intelligence and machine learning at the core to help organizations around the world embrace the future of work. Workday is used by more than 10,000 organizations around the world and across industries – from medium-sized businesses to more than 50% of the Fortune 500.
Workday A.I CyberSecurity Scoring
Workday Risk Score (AI oriented)Between 700 and 749
Workday
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
Workday Global Score (TPRM)XXXX
Workday
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Workday Company CyberSecurity News & History
Past Incidents
2
Attack Types
1
Workday
Breach
Rankiteo Explanation
Attack limited on finance or reputation
Description: Workday, a provider of enterprise cloud applications for finance and HR, confirmed it was targeted by a **sophisticated social engineering campaign** via a third-party CRM platform. Threat actors used impersonation tactics (phone calls/texts posing as HR/IT) to deceive employees into surrendering credentials, leading to unauthorized access to the CRM system. The breach exposed **business contact information** (names, emails, phone numbers)—data commonly available but used to fuel further scams. Workday clarified that **no customer data, proprietary systems, or tenant environments were compromised**. The company terminated the unauthorized access, reinforced security measures, and emphasized employee training to mitigate future risks. The incident underscores the vulnerability of third-party vendors and human error in cybersecurity defenses.
Workday
Breach
Rankiteo Explanation
Attack with significant impact with internal employee data leaks
Description: Workday confirmed a security breach stemming from a compromise of **Salesloft’s Drift application**, which granted unauthorized access to **customer-facing metadata** within its **Salesforce environment**. The threat actor exploited stolen **OAuth credentials** from Drift to execute targeted search queries in Workday’s Salesforce tenant, exposing non-sensitive data such as **business contact details, support case IDs, tenant attributes (name, data center location), product/service listings, training enrollments, and event logs**. No **file attachments, contracts, financial documents, or sensitive credentials** (e.g., passwords, tokens) were accessed, though Workday is auditing historical case notes for inadvertent disclosures. The attack was **contained to the Salesforce layer** via Drift, with no direct compromise of Workday’s core platform. Customers were advised to **rotate credentials, enforce MFA, and monitor for phishing risks**. The incident highlights third-party integration vulnerabilities and the importance of **OAuth security and access controls** in cloud ecosystems.
Workday Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for Workday
Incidents vs Software Development Industry Average (This Year)
Workday has 354.55% more incidents than the average of same-industry companies with at least one recorded incident.
Incidents vs All-Companies Average (This Year)
Workday has 212.5% more incidents than the average of all companies with at least one recorded incident.
Incident Types Workday vs Software Development Industry Avg (This Year)
Workday reported 2 incidents this year: 0 cyber attacks, 0 ransomware, 0 vulnerabilities, 2 data breaches, compared to industry peers with at least 1 incident.
Incident History — Workday (X = Date, Y = Severity)
Workday cyber incidents detection timeline including parent company and subsidiaries
Workday Company Subsidiaries
Workday is a leading provider of enterprise cloud applications for finance and human resources, helping customers adapt and thrive in a changing world. Workday applications for financial management, human resources, planning, spend management, and analytics are built with artificial intelligence and machine learning at the core to help organizations around the world embrace the future of work. Workday is used by more than 10,000 organizations around the world and across industries – from medium-sized businesses to more than 50% of the Fortune 500.
Loading...
Workday Similar Companies
Bosch USA
The Bosch Group’s strategic objective is to create solutions for a connected life. Bosch improves quality of life worldwide with innovative products and services that are "Invented for life" and spark enthusiasm. Podcast: http://bit.ly/beyondbosch Imprint: https://www.bosch.us/corporate-informatio
DoorDash
At DoorDash, our mission to empower local economies shapes how our team members move quickly and always learn and reiterate to support merchants, Dashers and the communities we serve. We are a technology and logistics company that started with door-to-door delivery, and we are looking for team membe
Cox Automotive Inc.
Cox Automotive is the world’s largest automotive services and technology provider. Fueled by the largest breadth of first-party data fed by 2.3 billion online interactions a year, Cox Automotive tailors leading solutions for car shoppers, auto manufacturers, dealers, lenders and fleets. The company
Shopee
Shopee is the leading e-commerce platform in Southeast Asia and Taiwan. It is a platform tailored for the region, providing customers with an easy, secure and fast online shopping experience through strong payment and logistical support. Shopee aims to continually enhance its platform and become th
Lazada
About Lazada Group Founded in 2012, Lazada Group is the leading eCommerce platform in Southeast Asia. We are accelerating progress in Indonesia, Malaysia, the Philippines, Singapore, Thailand and Vietnam through commerce and technology. With the largest logistics and payments networks in the regio
A problem isn't truly solved until it's solved for all. Googlers build products that help create opportunities for everyone, whether down the street or across the globe. Bring your insight, imagination and a healthy disregard for the impossible. Bring everything that makes you unique. Together, we c
TOTVS
Olá, somos a TOTVS! A maior empresa de tecnologia do Brasil. 🤓 Líder absoluta em sistemas e plataformas para empresas, a TOTVS possui mais de 70 mil clientes. Indo muito além do ERP, oferece tecnologia completa para digitalização dos negócios por meio de 3 unidades de negócio: - Gestão: ERPs, sol
Booking.com
A career at Booking.com is all about the journey, helping you explore new challenges in a place where you can be your best self. With plenty of exciting twists, turns and opportunities along the way. We’ve always been pioneers, on a mission to shape the future of travel through cutting edge techno
We're a global online visual communications platform on a mission to empower the world to design. Featuring a simple drag-and-drop user interface and a vast range of templates ranging from presentations, documents, websites, social media graphics, posters, apparel to videos, plus a huge library of f
.png)
Workday CyberSecurity News
October 29, 2025 07:00 AM
Infosys, Workday to modernise Metro Bank’s finance ops with cloud-native platform
India's second-largest IT services firm, Infosys, on Wednesday, announced a strategic collaboration with Metro Bank, one of the UK's leading...
October 17, 2025 07:00 AM
Workday Announces New AI Centre of Excellence in Dublin to Accelerate European Innovation
Online Recruitment magazine for HR Directors, Personnel Managers, Job Boards and Recruiters with information on the internet recruitment...
October 15, 2025 07:00 AM
Workday’s Jen Schreiber: Securing the essence of identity
Schreiber's most significant contributions have been to open standards in the area of real-time cybersecurity.
October 15, 2025 07:00 AM
“Payroll Pirate” Social Engineering Attacks on Workday Divert Employees’ Wages
Microsoft warns of social engineering attacks dubbed “payroll pirates” resulting in lost wages after hackers divert employees' earnings to...
October 15, 2025 07:00 AM
Future Professions You Need to Skill Up For
The world of work is changing fast—learn the trends and skills you need to know to stay prepared in your career.
October 15, 2025 07:00 AM
Workday creates 200 jobs after €175m investment in new AI centre
Workday is investing €175m over the next three years to establish an AI Centre of Excellence in Dublin and hire 300 staff.
October 15, 2025 07:00 AM
Workday To Invest €175M in Dublin AI Centre of Excellence, Adding 200 Jobs
Workday, Inc. (NASDAQ: WDAY), the enterprise AI platform for managing people, money, and agents, today announced a three year €175 million...
October 09, 2025 07:00 AM
Investigating targeted “payroll pirate” attacks affecting US universities
Microsoft Threat Intelligence has observed a financially motivated threat actor that we track as Storm-2657 compromising employee accounts...
September 14, 2025 07:00 AM
Weekly Cybersecurity News Recap : Tenable, Qualys, Workday Data Breaches and Security Updates
The breaches at Tenable and Qualys are particularly concerning, as they involved unauthorized access to systems containing sensitive customer...
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
Workday CyberSecurity History Information
Official Website of Workday
The official website of Workday is http://www.workday.com.
Workday’s AI-Generated Cybersecurity Score
According to Rankiteo, Workday’s AI-generated cybersecurity score is 737, reflecting their Moderate security posture.
How many security badges does Workday’ have ?
According to Rankiteo, Workday currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does Workday have SOC 2 Type 1 certification ?
According to Rankiteo, Workday is not certified under SOC 2 Type 1.
Does Workday have SOC 2 Type 2 certification ?
According to Rankiteo, Workday does not hold a SOC 2 Type 2 certification.
Does Workday comply with GDPR ?
According to Rankiteo, Workday is not listed as GDPR compliant.
Does Workday have PCI DSS certification ?
According to Rankiteo, Workday does not currently maintain PCI DSS compliance.
Does Workday comply with HIPAA ?
According to Rankiteo, Workday is not compliant with HIPAA regulations.
Does Workday have ISO 27001 certification ?
According to Rankiteo,Workday is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Workday
Workday operates primarily in the Software Development industry.
Number of Employees at Workday
Workday employs approximately 25,257 people worldwide.
Subsidiaries Owned by Workday
Workday presently has no subsidiaries across any sectors.
Workday’s LinkedIn Followers
Workday’s official LinkedIn profile has approximately 1,260,364 followers.
NAICS Classification of Workday
Workday is classified under the NAICS code 5112, which corresponds to Software Publishers.
Workday’s Presence on Crunchbase
Yes, Workday has an official profile on Crunchbase, which can be accessed here: https://www.crunchbase.com/organization/workday.
Workday’s Presence on LinkedIn
Yes, Workday maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/workday.
Cybersecurity Incidents Involving Workday
As of November 27, 2025, Rankiteo reports that Workday has experienced 2 cybersecurity incidents.
Number of Peer and Competitor Companies
Workday has an estimated 26,565 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Workday ?
Incident Types: The types of cybersecurity incidents that have occurred include Breach.
How does Workday detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an containment measures with terminated unauthorized access to third-party crm, and remediation measures with enhanced security awareness training, remediation measures with additional security controls, and communication strategy with public disclosure, communication strategy with customer reassurance via trusted channels, communication strategy with security awareness reinforcement, and and and third party assistance with independent forensic firm (unnamed), third party assistance with collaboration with salesloft, and containment measures with disabled drift connector, containment measures with revoked all associated oauth tokens, containment measures with removed residual integrations, and remediation measures with full audit of historical case text for credential disclosures, remediation measures with customer notifications for credential rotation, and communication strategy with direct customer notifications, communication strategy with public advisory via workday and salesloft trust portals, communication strategy with detailed mfa/step-up authentication guidance, and enhanced monitoring with user activity logs for unusual behavior (recommended to customers)..
Incident Details
Can you provide details on each incident ?
Title: Workday Social Engineering Campaign Leading to Third-Party CRM Data Breach
Description: Workday, a leading provider of enterprise cloud applications for finance and human resources, confirmed it was targeted by a sophisticated social engineering campaign. The attack resulted in unauthorized access to a third-party Customer Relationship Management (CRM) platform, exposing commonly available business contact information (e.g., names, email addresses, phone numbers). The incident did not compromise Workday’s core systems, customer data, or tenant environments. Threat actors impersonated HR/IT personnel via text messages or phone calls to deceive employees into surrendering credentials. Workday terminated the unauthorized access, reinforced security awareness, and implemented additional protective measures.
Type: Social Engineering
Attack Vector: Phishing (SMS/Phone Calls)Impersonation (HR/IT Personnel)Credential Harvesting
Vulnerability Exploited: Human Error (Lack of Awareness/Training)
Motivation: Data Theft for Further Social EngineeringCredential Harvesting
Title: Unauthorized Access to Workday’s Salesforce Environment via Compromised Drift Application
Description: Workday confirmed that a compromise of Salesloft’s Drift application led to unauthorized access to customer-facing data and basic case information within its Salesforce environment. The threat actor exploited Drift’s OAuth credentials to perform targeted search queries in Workday’s Salesforce tenant. Exposed data included non-sensitive metadata such as business contact details, support case identifiers, tenant attributes, product listings, training enrollments, and event logs. No file attachments, contracts, or sensitive documents were accessed. Workday disabled the Drift connector, revoked OAuth tokens, and engaged a forensic firm for investigation. Customers were advised to rotate credentials and enforce multi-factor authentication (MFA).
Date Publicly Disclosed: 2024-08-26
Type: Data Breach
Attack Vector: Compromised Third-Party Application (Drift)OAuth Credential AbuseTargeted Search Queries in Salesforce
Vulnerability Exploited: Weak OAuth Credential Security in DriftLack of Multi-Factor Authentication (MFA) for Third-Party Integrations
Threat Actor: Sophisticated Threat Actor (unknown affiliation)
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Breach.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Third-Party CRM Platform (via Compromised Employee Credentials) and Compromised OAuth credentials in Salesloft’s Drift application.
Impact of the Incidents
What was the impact of each incident ?
Incident : Social Engineering WOR411081825
Data Compromised: Business contact information (names, email addresses, phone numbers)
Systems Affected: Third-Party CRM Platform
Operational Impact: Minimal (No Core Systems or Customer Data Affected)
Brand Reputation Impact: Potential Erosion of Trust (Mitigated by Transparent Disclosure)
Identity Theft Risk: Low (Limited to Business Contact Info)
Incident : Data Breach WOR1132611091025
Data Compromised: Business contact details, Support case identifiers, Tenant attributes (name, data center location), Product and service listings, Training course enrollments with certificates, Event logs
Systems Affected: Workday’s Salesforce tenant (via Drift integration)
Operational Impact: Forensic investigationCredential rotation for affected customersAudit of historical case text for inadvertent disclosures
Brand Reputation Impact: Potential erosion of trust due to third-party vulnerabilityProactive customer notifications and advisory issuance
Identity Theft Risk: ['Low (no PII or sensitive credentials confirmed exposed)']
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Business Contact Information, , Non-Sensitive Metadata, Business Operational Data and .
Which entities were affected by each incident ?
Incident : Social Engineering WOR411081825
Entity Name: Workday, Inc.
Entity Type: Corporation
Industry: Enterprise Cloud Applications, Finance, Human Resources
Location: Pleasanton, California, USA
Size: Large (Enterprise-Level)
Customers Affected: None (Customer Data/Tenants Unaffected)
Incident : Data Breach WOR1132611091025
Entity Name: Workday
Entity Type: Enterprise Software Provider
Industry: Human Capital Management (HCM) and Financial Management
Location: Global (HQ: Pleasanton, California, USA)
Size: Large (10,000+ employees)
Customers Affected: Customers who shared credentials via Salesforce cases (exact number unspecified)
Incident : Data Breach WOR1132611091025
Entity Name: Salesloft (Drift application provider)
Entity Type: Third-Party Vendor
Industry: Sales Engagement and Conversational Marketing
Location: Global (HQ: Atlanta, Georgia, USA)
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Social Engineering WOR411081825
Incident Response Plan Activated: True
Containment Measures: Terminated Unauthorized Access to Third-Party CRM
Remediation Measures: Enhanced Security Awareness TrainingAdditional Security Controls
Communication Strategy: Public DisclosureCustomer Reassurance via Trusted ChannelsSecurity Awareness Reinforcement
Incident : Data Breach WOR1132611091025
Incident Response Plan Activated: True
Third Party Assistance: Independent Forensic Firm (Unnamed), Collaboration With Salesloft.
Containment Measures: Disabled Drift connectorRevoked all associated OAuth tokensRemoved residual integrations
Remediation Measures: Full audit of historical case text for credential disclosuresCustomer notifications for credential rotation
Communication Strategy: Direct customer notificationsPublic advisory via Workday and Salesloft trust portalsDetailed MFA/step-up authentication guidance
Enhanced Monitoring: User activity logs for unusual behavior (recommended to customers)
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through Independent forensic firm (unnamed), Collaboration with Salesloft, .
Data Breach Information
What type of data was compromised in each breach ?
Incident : Social Engineering WOR411081825
Type of Data Compromised: Business contact information
Sensitivity of Data: Low (Publicly Available or Easily Obtainable)
Personally Identifiable Information: NamesEmail AddressesPhone Numbers
Incident : Data Breach WOR1132611091025
Type of Data Compromised: Non-sensitive metadata, Business operational data
Sensitivity of Data: Low (no PII, financial data, or sensitive documents)
File Types Exposed: Text-based case notesEvent logsTraining enrollment records
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Enhanced Security Awareness Training, Additional Security Controls, , Full audit of historical case text for credential disclosures, Customer notifications for credential rotation, .
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by terminated unauthorized access to third-party crm, , disabled drift connector, revoked all associated oauth tokens, removed residual integrations and .
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Social Engineering WOR411081825
Lessons Learned: Human element remains a critical vulnerability in cybersecurity., Third-party vendors can serve as attack vectors for breaching primary targets., Social engineering tactics (e.g., impersonation via phone/SMS) are increasingly sophisticated., Proactive employee training and awareness are essential to mitigate phishing risks.
Incident : Data Breach WOR1132611091025
Lessons Learned: Third-party integrations (e.g., OAuth-based apps) introduce significant risk vectors., Proactive monitoring of anomalous activity in SaaS environments is critical., Regular audits of case text and support logs can mitigate inadvertent credential exposure., Multi-factor authentication (MFA) and step-up authentication are essential for high-privilege operations.
What recommendations were made to prevent future incidents ?
Incident : Social Engineering WOR411081825
Recommendations: Enhance employee training programs to recognize and report social engineering attempts (e.g., phishing, impersonation)., Implement multi-factor authentication (MFA) for all critical systems, including third-party platforms., Regularly audit third-party vendor security practices and access controls., Reinforce communication policies (e.g., never request passwords via phone/SMS)., Monitor dark web/underground forums for signs of stolen credentials or exposed data., Adopt behavioral analytics to detect anomalous access patterns in real-time.Enhance employee training programs to recognize and report social engineering attempts (e.g., phishing, impersonation)., Implement multi-factor authentication (MFA) for all critical systems, including third-party platforms., Regularly audit third-party vendor security practices and access controls., Reinforce communication policies (e.g., never request passwords via phone/SMS)., Monitor dark web/underground forums for signs of stolen credentials or exposed data., Adopt behavioral analytics to detect anomalous access patterns in real-time.Enhance employee training programs to recognize and report social engineering attempts (e.g., phishing, impersonation)., Implement multi-factor authentication (MFA) for all critical systems, including third-party platforms., Regularly audit third-party vendor security practices and access controls., Reinforce communication policies (e.g., never request passwords via phone/SMS)., Monitor dark web/underground forums for signs of stolen credentials or exposed data., Adopt behavioral analytics to detect anomalous access patterns in real-time.Enhance employee training programs to recognize and report social engineering attempts (e.g., phishing, impersonation)., Implement multi-factor authentication (MFA) for all critical systems, including third-party platforms., Regularly audit third-party vendor security practices and access controls., Reinforce communication policies (e.g., never request passwords via phone/SMS)., Monitor dark web/underground forums for signs of stolen credentials or exposed data., Adopt behavioral analytics to detect anomalous access patterns in real-time.Enhance employee training programs to recognize and report social engineering attempts (e.g., phishing, impersonation)., Implement multi-factor authentication (MFA) for all critical systems, including third-party platforms., Regularly audit third-party vendor security practices and access controls., Reinforce communication policies (e.g., never request passwords via phone/SMS)., Monitor dark web/underground forums for signs of stolen credentials or exposed data., Adopt behavioral analytics to detect anomalous access patterns in real-time.Enhance employee training programs to recognize and report social engineering attempts (e.g., phishing, impersonation)., Implement multi-factor authentication (MFA) for all critical systems, including third-party platforms., Regularly audit third-party vendor security practices and access controls., Reinforce communication policies (e.g., never request passwords via phone/SMS)., Monitor dark web/underground forums for signs of stolen credentials or exposed data., Adopt behavioral analytics to detect anomalous access patterns in real-time.
Incident : Data Breach WOR1132611091025
Recommendations: Rotate all credentials shared via Salesforce cases., Enforce MFA across all user accounts, especially for third-party integrations., Implement step-up authentication for high-privilege operations., Conduct phishing awareness training and simulated assessments., Monitor user activity logs for unusual behavior., Verify independent impact assessments for direct Drift customers., Follow Salesloft’s supplemental security guidance for Drift ecosystem hardening.Rotate all credentials shared via Salesforce cases., Enforce MFA across all user accounts, especially for third-party integrations., Implement step-up authentication for high-privilege operations., Conduct phishing awareness training and simulated assessments., Monitor user activity logs for unusual behavior., Verify independent impact assessments for direct Drift customers., Follow Salesloft’s supplemental security guidance for Drift ecosystem hardening.Rotate all credentials shared via Salesforce cases., Enforce MFA across all user accounts, especially for third-party integrations., Implement step-up authentication for high-privilege operations., Conduct phishing awareness training and simulated assessments., Monitor user activity logs for unusual behavior., Verify independent impact assessments for direct Drift customers., Follow Salesloft’s supplemental security guidance for Drift ecosystem hardening.Rotate all credentials shared via Salesforce cases., Enforce MFA across all user accounts, especially for third-party integrations., Implement step-up authentication for high-privilege operations., Conduct phishing awareness training and simulated assessments., Monitor user activity logs for unusual behavior., Verify independent impact assessments for direct Drift customers., Follow Salesloft’s supplemental security guidance for Drift ecosystem hardening.Rotate all credentials shared via Salesforce cases., Enforce MFA across all user accounts, especially for third-party integrations., Implement step-up authentication for high-privilege operations., Conduct phishing awareness training and simulated assessments., Monitor user activity logs for unusual behavior., Verify independent impact assessments for direct Drift customers., Follow Salesloft’s supplemental security guidance for Drift ecosystem hardening.Rotate all credentials shared via Salesforce cases., Enforce MFA across all user accounts, especially for third-party integrations., Implement step-up authentication for high-privilege operations., Conduct phishing awareness training and simulated assessments., Monitor user activity logs for unusual behavior., Verify independent impact assessments for direct Drift customers., Follow Salesloft’s supplemental security guidance for Drift ecosystem hardening.Rotate all credentials shared via Salesforce cases., Enforce MFA across all user accounts, especially for third-party integrations., Implement step-up authentication for high-privilege operations., Conduct phishing awareness training and simulated assessments., Monitor user activity logs for unusual behavior., Verify independent impact assessments for direct Drift customers., Follow Salesloft’s supplemental security guidance for Drift ecosystem hardening.
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are Human element remains a critical vulnerability in cybersecurity.,Third-party vendors can serve as attack vectors for breaching primary targets.,Social engineering tactics (e.g., impersonation via phone/SMS) are increasingly sophisticated.,Proactive employee training and awareness are essential to mitigate phishing risks.Third-party integrations (e.g., OAuth-based apps) introduce significant risk vectors.,Proactive monitoring of anomalous activity in SaaS environments is critical.,Regular audits of case text and support logs can mitigate inadvertent credential exposure.,Multi-factor authentication (MFA) and step-up authentication are essential for high-privilege operations.
References
Where can I find more information about each incident ?
Incident : Social Engineering WOR411081825
Source: Workday Official Statement
URL: https://www.workday.com/en-us/company/trust/security-trust.html
Incident : Data Breach WOR1132611091025
Source: Workday Security Advisory
Incident : Data Breach WOR1132611091025
Source: Salesloft Trust Portal Update (August 26, 2024)
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Workday Official StatementUrl: https://www.workday.com/en-us/company/trust/security-trust.html, and Source: Workday Security Advisory, and Source: Salesloft Trust Portal Update (August 26, 2024).
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Social Engineering WOR411081825
Investigation Status: Resolved (Unauthorized Access Terminated; Additional Security Measures Implemented)
Incident : Data Breach WOR1132611091025
Investigation Status: Ongoing (forensic analysis and customer audits in progress)
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Public Disclosure, Customer Reassurance Via Trusted Channels, Security Awareness Reinforcement, Direct Customer Notifications, Public Advisory Via Workday And Salesloft Trust Portals and Detailed Mfa/Step-Up Authentication Guidance.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Social Engineering WOR411081825
Stakeholder Advisories: Workday Reassured Customers That No Proprietary Data Or Tenant Environments Were Compromised., Emphasized The Importance Of Verifying Communication Channels Before Sharing Sensitive Information..
Customer Advisories: Customers were directed to Workday’s Security and Trust webpage for updates.Reminder: Workday will never request passwords or secure details via phone.
Incident : Data Breach WOR1132611091025
Stakeholder Advisories: Direct Notifications To Affected Customers, Public Guidance On Mfa And Credential Rotation.
Customer Advisories: Rotate credentials transmitted via Salesforce cases.Audit historical case text for sensitive data.Enforce MFA and step-up authentication.Review Drift integration configurations (if applicable).
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Workday Reassured Customers That No Proprietary Data Or Tenant Environments Were Compromised., Emphasized The Importance Of Verifying Communication Channels Before Sharing Sensitive Information., Customers Were Directed To Workday’S Security And Trust Webpage For Updates., Reminder: Workday Will Never Request Passwords Or Secure Details Via Phone., , Direct Notifications To Affected Customers, Public Guidance On Mfa And Credential Rotation, Rotate Credentials Transmitted Via Salesforce Cases., Audit Historical Case Text For Sensitive Data., Enforce Mfa And Step-Up Authentication., Review Drift Integration Configurations (If Applicable). and .
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Social Engineering WOR411081825
Entry Point: Third-Party CRM Platform (via Compromised Employee Credentials)
High Value Targets: Employee Credentials, Business Contact Information,
Data Sold on Dark Web: Employee Credentials, Business Contact Information,
Incident : Data Breach WOR1132611091025
Entry Point: Compromised OAuth credentials in Salesloft’s Drift application
High Value Targets: Workday’S Salesforce Tenant, Customer Support Case Data,
Data Sold on Dark Web: Workday’S Salesforce Tenant, Customer Support Case Data,
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Social Engineering WOR411081825
Root Causes: Successful Social Engineering Attack Exploiting Human Trust., Inadequate Verification Of Unsolicited Communication (Phone/Sms)., Potential Gaps In Third-Party Vendor Security Controls.,
Corrective Actions: Terminated Unauthorized Access To The Crm System., Enhanced Employee Training On Social Engineering Tactics., Implemented Additional Security Measures (Details Undisclosed)., Reinforced Communication Policies To Prevent Credential Harvesting.,
Incident : Data Breach WOR1132611091025
Root Causes: Insufficient Protection Of Drift’S Oauth Credentials By Salesloft., Lack Of Granular Access Controls For Third-Party Integrations In Salesforce., Potential Over-Reliance On Single-Factor Authentication For High-Risk Operations.,
Corrective Actions: Disabling Vulnerable Drift Connector And Revoking Oauth Tokens., Engaging Forensic Firm For Comprehensive System Review., Issuing Customer Advisories For Credential Rotation And Mfa Enforcement., Publishing Detailed Guidance For Authentication Hardening.,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Independent Forensic Firm (Unnamed), Collaboration With Salesloft, , User Activity Logs For Unusual Behavior (Recommended To Customers), .
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Terminated Unauthorized Access To The Crm System., Enhanced Employee Training On Social Engineering Tactics., Implemented Additional Security Measures (Details Undisclosed)., Reinforced Communication Policies To Prevent Credential Harvesting., , Disabling Vulnerable Drift Connector And Revoking Oauth Tokens., Engaging Forensic Firm For Comprehensive System Review., Issuing Customer Advisories For Credential Rotation And Mfa Enforcement., Publishing Detailed Guidance For Authentication Hardening., .
Additional Questions
General Information
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident was an Sophisticated Threat Actor (unknown affiliation).
Incident Details
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2024-08-26.
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were Business Contact Information (Names, Email Addresses, Phone Numbers), , Business contact details, Support case identifiers, Tenant attributes (name, data center location), Product and service listings, Training course enrollments with certificates, Event logs and .
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident was Third-Party CRM Platform and Workday’s Salesforce tenant (via Drift integration).
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was independent forensic firm (unnamed), collaboration with salesloft, .
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Terminated Unauthorized Access to Third-Party CRM and Disabled Drift connectorRevoked all associated OAuth tokensRemoved residual integrations.
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Training course enrollments with certificates, Product and service listings, Business contact details, Event logs, Business Contact Information (Names, Email Addresses, Phone Numbers), Support case identifiers, Tenant attributes (name and data center location).
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Multi-factor authentication (MFA) and step-up authentication are essential for high-privilege operations.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Implement multi-factor authentication (MFA) for all critical systems, including third-party platforms., Monitor dark web/underground forums for signs of stolen credentials or exposed data., Enhance employee training programs to recognize and report social engineering attempts (e.g., phishing, impersonation)., Reinforce communication policies (e.g., never request passwords via phone/SMS)., Adopt behavioral analytics to detect anomalous access patterns in real-time., Enforce MFA across all user accounts, especially for third-party integrations., Monitor user activity logs for unusual behavior., Conduct phishing awareness training and simulated assessments., Verify independent impact assessments for direct Drift customers., Implement step-up authentication for high-privilege operations., Follow Salesloft’s supplemental security guidance for Drift ecosystem hardening., Rotate all credentials shared via Salesforce cases. and Regularly audit third-party vendor security practices and access controls..
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are Workday Security Advisory, Salesloft Trust Portal Update (August 26, 2024) and Workday Official Statement.
What is the most recent URL for additional resources on cybersecurity best practices ?
Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.workday.com/en-us/company/trust/security-trust.html .
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Resolved (Unauthorized Access Terminated; Additional Security Measures Implemented).
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Workday reassured customers that no proprietary data or tenant environments were compromised., Emphasized the importance of verifying communication channels before sharing sensitive information., Direct notifications to affected customers, Public guidance on MFA and credential rotation, .
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued were an Customers were directed to Workday’s Security and Trust webpage for updates.Reminder: Workday will never request passwords or secure details via phone. and Rotate credentials transmitted via Salesforce cases.Audit historical case text for sensitive data.Enforce MFA and step-up authentication.Review Drift integration configurations (if applicable).
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker were an Third-Party CRM Platform (via Compromised Employee Credentials) and Compromised OAuth credentials in Salesloft’s Drift application.
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Successful social engineering attack exploiting human trust.Inadequate verification of unsolicited communication (phone/SMS).Potential gaps in third-party vendor security controls., Insufficient protection of Drift’s OAuth credentials by Salesloft.Lack of granular access controls for third-party integrations in Salesforce.Potential over-reliance on single-factor authentication for high-risk operations..
What was the most significant corrective action taken based on post-incident analysis ?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Terminated unauthorized access to the CRM system.Enhanced employee training on social engineering tactics.Implemented additional security measures (details undisclosed).Reinforced communication policies to prevent credential harvesting., Disabling vulnerable Drift connector and revoking OAuth tokens.Engaging forensic firm for comprehensive system review.Issuing customer advisories for credential rotation and MFA enforcement.Publishing detailed guidance for authentication hardening..
.png)
Latest Global CVEs (Not Company-Specific)
Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.
Risk Information
cvss4
Base: 7.7
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
- https://github.com/angular/angular/commit/0276479e7d0e280e0f8d26fa567d3b7aa97a516f
- https://github.com/angular/angular/commit/05fe6686a97fa0bcd3cf157805b3612033f975bc
- https://github.com/angular/angular/commit/3240d856d942727372a705252f7c8c115394a41e
- https://github.com/angular/angular/releases/tag/19.2.16
- https://github.com/angular/angular/releases/tag/20.3.14
- https://github.com/angular/angular/releases/tag/21.0.1
- https://github.com/angular/angular/security/advisories/GHSA-58c5-g7wp-6w37
Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.
Risk Information
cvss4
Base: 8.7
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions. This issue has been patched in version 1.3.2.
Risk Information
cvss4
Base: 6.3
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, working with large buffers in Lua scripts can lead to a stack overflow. Users of Lua rules and output scripts may be affected when working with large buffers. This includes a rule passing a large buffer to a Lua script. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves disabling Lua rules and output scripts, or making sure limits, such as stream.depth.reassembly and HTTP response body limits (response-body-limit), are set to less than half the stack size.
Risk Information
cvss3
Base: 7.5
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions from 8.0.0 to before 8.0.2, a NULL dereference can occur when the entropy keyword is used in conjunction with base64_data. This issue has been patched in version 8.0.2. A workaround involves disabling rules that use entropy in conjunction with base64_data.
Risk Information
cvss3
Base: 7.5
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=workday' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
