Workplace Apps Collect Extensive User Data, Raising Privacy and Security Concerns A recent study by Incogni, analyzing data from the Google Play Store as of March 20, 2026, reveals that ten widely used workplace apps including Gmail, Microsoft Teams, Zoom Workplace, Slack, and Notion collect an average of 19 data points per app, with some sharing sensitive information with third parties. These apps, cumulatively downloaded over 12.5 billion times, are integral to U.S. corporate operations but pose significant privacy and security risks. Data Collection and Sharing Practices Gmail leads in data harvesting, collecting 26 distinct data types, including approximate location, app interactions, and user IDs for advertising. Microsoft Teams and Zoom Workplace follow closely, with 25 and 23 data types, respectively both uniquely gathering precise location data. Six of the ten apps, including Slack, Notion, and Zoom Workplace, use collected data for marketing, with Slack, Todoist, and Notion specifically harvesting employee email addresses for this purpose. Notion stands out for its outbound data flow, sharing eight data types such as email addresses, names, and device IDs with third parties, including advertising partners. The app’s privacy policy permits tracking tools on user browsers, raising concerns over the exposure of sensitive workspace content like HR records and client data. Regulatory scrutiny has intensified, particularly after the EU’s Data Protection Board tightened GDPR requirements in December 2024 regarding personal data use in AI training, directly impacting Notion’s third-party model integrations. Security Vulnerabilities and Breach History Most apps in the study have a history of breaches. In January 2026, a 96-gigabyte database containing 149 million login credentials 48 million tied to Gmail was exposed, attributed to infostealer malware on user devices. Slack suffered a November 2025 breach where attackers used stolen credentials to access accounts of over 17,000 Nikkei employees, exposing names, emails, and chat histories. Trello, Zoom, and Microsoft products have also faced incidents, with Trello data appearing for sale in January 2024. Workday is the only app in the analysis without a user data deletion option, despite holding employment records and payroll details. In August 2025, the platform confirmed two breaches linked to its Salesforce CRM, where attackers obtained business contact information as part of a ShinyHunters social engineering campaign. BYOD Risks and Platform Disparities Many employees install these apps on personal devices, exposing contact details, financial data, and location information to advertising networks or corporate administrators. Slack, for example, lacks end-to-end encryption, allowing workspace owners to access direct messages and private channels. While the study focuses on Google Play data, Incogni notes that iOS disclosures may differ, though past comparisons suggest similar privacy practices across platforms. The findings highlight the trade-offs between workplace productivity and data exposure, with recurring breaches and extensive tracking underscoring the risks of integrating these tools into daily operations.

The attack on Salesloft began with the compromise of an internal GitHub repository, where attackers stole a high-privilege OAuth token granting access to its Drift cloud application. Exploiting Drift’s trusted integrations, the attackers pivoted to Salesforce instances of multiple high-profile customers—including Palo Alto Networks, Cloudflare, Zscaler, and Tenable—exfiltrating customer conversation data, contact details, and sensitive business information. The breach exposed a supply-chain vulnerability, where a single compromised AI-powered integration (Drift’s chatbot) enabled mass data theft across 700+ organizations, including cybersecurity leaders. The attackers also harvested OpenAI API credentials, demonstrating the cascading risks of interconnected AI ecosystems. While companies like Okta mitigated damage via IP allow-listing, others faced reputational harm, forensic costs, and erosion of customer trust. The incident highlighted critical gaps in third-party risk management, token security, and AI integration monitoring, with long-term implications for enterprise security postures.

Workday Hit by Third-Party Cyberattack Linked to ShinyHunters Workday, a leading HR platform provider, disclosed a cyberattack on 16–17 August after threat actors breached its systems via a third-party supplier. The incident appears tied to a broader wave of attacks likely orchestrated through Salesforce products linked to the ShinyHunters cybercrime group, though Workday did not confirm the specific threat actor or software involved. In a public notice, Workday revealed that attackers accessed limited data from its third-party CRM platform, primarily business contact information such as names, email addresses, and phone numbers. The company emphasized that no customer tenant data or internal systems were compromised. Immediate containment measures were taken, including revoking access and implementing additional safeguards. The breach stemmed from a social engineering campaign targeting multiple large organizations, with the stolen data potentially intended for further phishing scams. Workday clarified that it never requests passwords or sensitive details via phone, urging users to verify communications through official support channels. The incident underscores the growing risk of supply chain attacks, where cybercriminals exploit vulnerabilities in third-party vendors to infiltrate larger targets. While the full scope of the campaign remains under investigation, the attack aligns with recent tactics attributed to ShinyHunters, a group known for high-profile data breaches.