Workiva discloses customer data breach tied to third-party CRM attack

Workiva, a major provider of cloud-based compliance and reporting software, confirmed last week that attackers accessed a third-party customer relationship management system and stole some customer data. The breach is part of a broader wave of Salesforce-related incidents linked to the ShinyHunters extortion group.

In an email notification sent to affected clients and obtained by BleepingComputer, Workiva said the stolen data included business contact information such as names, email addresses, phone numbers and support ticket details. The company emphasized that its own cloud platform, used by 6,305 customers worldwide for financial reporting, compliance and audits, was not compromised.

“Our CRM vendor notified us of unauthorized access via a connected third-party application,” Workiva told customers. “Importantly, the Workiva platform and any data within it were not accessed or compromised.” The company also warned recipients to watch for potential spear-phishing attempts using the exposed contact details, stressing that Workiva will never request passwords or secure credentials outside its official support channels.

Workiva serves some of the world’s largest enterprises, counting 85 percent of the Fortune 500 among its clients. Its customer roster includes Google, T-Mobile, Delta Air Lines, Wayfair, Hershey, Cognizant, Mercedes-Benz and many others. The Ames, Iowa-based firm reported $739 million in revenue in 2024.

The breach adds Workiva to a growing list of high-profile companies affected by ShinyHunters, a hacking collective that has been targeting Salesforce customers since early this year. The group has used tactics ranging from voice phishing to the theft of OAuth tokens from third-party applications integrated with Salesforce. These techniques have enabled access to sensitive customer data, support case content, and in some cases credentials for cloud services.

Earlier in August, Cloudflare revealed it had to rotate 104 platform-issued tokens after ShinyHunters infiltrated its Salesforce environment. Other victims of related attacks include Google, Cisco, Adidas, Qantas, Allianz Life, Farmers Insurance and luxury conglomerate LVMH.

Security analysts warn that while the scope of the stolen data in Workiva’s case appears limited, the incident underscores ongoing risks from supply chain attacks targeting widely used enterprise software platforms.