Workiva, a leading cloud-based SaaS provider, has disclosed a data breach after attackers gained access to a third-party customer relationship management (CRM) system. The company confirmed that a limited set of customer data was exfiltrated, though its core platform and customer content remain secure.
Workiva’s platform, widely used for financial reporting, compliance, and audit processes, serves more than 6,300 customers, including 85% of the Fortune 500. Its client roster features major corporations such as Google, T-Mobile, Delta Air Lines, Hershey, Slack, Cognizant, Nokia, Kraft Heinz, Wendy’s, and Mercedes-Benz. In 2024, the company reported revenues of $739 million.
According to customer notifications, the stolen data included business contact information, email addresses, phone numbers, and support ticket content. Workiva emphasized that no customer platform data was accessed or compromised, and the incident originated from unauthorized access via a connected third-party app.
The company urged impacted customers to remain alert against spear-phishing attacks. Workiva will never request passwords or sensitive details by text or phone. All communications come only through official support channels.
The incident is part of a broader campaign targeting Salesforce customers, linked to the ShinyHunters extortion group. The group has conducted data theft operations throughout 2025, using voice phishing (vishing) and, more recently, exploiting OAuth tokens from Salesloft’s Drift AI chat integration with Salesforce.
This method has allowed attackers to infiltrate Salesforce instances at numerous organizations, extracting sensitive data such as passwords, AWS keys, and Snowflake tokens from customer support tickets. Victims include Google, Cisco, Allianz Life, Farmers Insurance, Adidas, Qantas, and LVMH brands like Dior, Louis Vuitton, and Tiffany & Co.
Just weeks earlier, Cloudflare confirmed rotating 104 platform-issued tokens after its Salesforce system was compromised in the same campaign.
While Workiva’s breach did not expose sensitive customer platform data, it highlights the growing risks of supply chain and SaaS ecosystem attacks, where third-party integrations are exploited to compromise global enterprises.
Using this approach, ShinyHunters not only stole Salesforce CRM data but also accessed a limited number of Google Workspace accounts and breached Salesforce instances at several cybersecurity firms, including Zscaler, Tenable, CyberArk, BeyondTrust, Proofpoint, JFrog, Rubrik, Cato Networks, and Palo Alto Networks.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
