Workiva, a number one cloud-based SaaS (Software program as a Service) supplier, notified its prospects that attackers who gained entry to a third-party buyer relationship administration (CRM) system stole a few of their information.
The corporate’s cloud software program helps acquire, join, and share information for monetary reviews, compliance, and audits. It had 6,305 prospects on the finish of final yr and reported revenues of $739 million in 2024.
Its buyer record consists of 85% of the Fortune 500 corporations and high-profile purchasers equivalent to Google, T-Cellular, Delta Air Traces, Wayfair, Hershey, Slack, Cognizant, Santander, Nokia, Kraft Heinz, Wendy’s, Paramount, Air France KLM, Mercedes-Benz, and extra.
In line with a personal e-mail notification despatched to affected Workiva prospects final week and seen by BleepingComputer, the menace actors exfiltrated a restricted set of enterprise contact info, together with names, e-mail addresses, telephone numbers, and assist ticket content material.
“That is just like current occasions which have focused a number of giant organizations. Importantly, the Workiva platform and any information inside it weren’t accessed or compromised,” the corporate defined. “Our CRM vendor notified us of unauthorized entry through a linked third-party software.”
Workiva additionally warned impacted prospects to stay vigilant, because the stolen info might be utilized in spear-phishing assaults.
“Workiva won’t ever contact anybody by textual content or telephone to request a password or every other safe particulars. All communications from Workiva come by way of our trusted official assist channels,” it mentioned.
Salesforce data breaches
Whereas Workiva did not share extra particulars relating to this assault, BleepingComputer has discovered that this incident was a part of the current wave of Salesforce data breaches linked to the ShinyHunters extortion group that impacted many high-profile corporations.
Most just lately, Cloudflare disclosed that it was compelled to rotate 104 Cloudflare platform-issued tokens stolen by ShinyHunters menace actors, who gained entry to the Salesforce occasion used for buyer assist and inside buyer case administration in mid-August.
ShinyHunters has been focusing on Salesforce prospects in information theft assaults utilizing voice phishing (vishing) because the begin of the yr, impacting corporations equivalent to Google, Cisco, Allianz Life, Farmers Insurance coverage, Workday, Qantas, Adidas, and LVMH subsidiaries, together with Dior, Louis Vuitton, and Tiffany & Co.
Extra just lately, the extortion group has shifted to utilizing stolen OAuth tokens for Salesloft’s Drift AI chat integration with Salesforce to realize entry to buyer Salesforce situations and extract delicate info, equivalent to passwords, AWS entry keys, and Snowflake tokens, from buyer messages and assist tickets.
Utilizing this methodology, the ShinyHunters additionally gained entry to a small variety of Google Workspace accounts along with stealing Salesforce CRM information, and breached the Salesforce situations of cybersecurity corporations Zscaler and Palo Alto Networks.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and information exfiltration traits.
