Trust and transparency are at the center of everything we do at Workday, and we’re sharing the following information to help our customers help protect their organizations. 

On August 23, 2025, Workday became aware of a security issue in Salesloft’s Drift application, a third-party app that connects to Salesforce. Upon learning of the issue, we disconnected the app, invalidated Drift’s tokens, and began removing any related integrations. We simultaneously began an investigation, with support from a forensic firm, and initiated an evaluation of Workday’s vendors who use Drift.

On August 26, 2025, Salesloft provided additional information about the incident on their website, confirming that a threat actor had compromised its systems, obtained OAuth credentials, and had used those credentials to run searches in its customers’ Salesforce environments. Our investigation identified that we had been impacted.

Out of an abundance of caution, we strongly urge all customers to rotate any credentials that may have been shared with Workday through a support case.

WHAT WE’VE FOUND:

We have verified that the threat actor had no access to Workday customer tenants through our connection with Drift.

The threat actor’s searches only provided access to a very small subset of information from our Salesforce environment, such as business contact information, basic support case information, basic tenant related attributes such as tenant name, data center name, product names and services, training courses and certificates, and event logs. 

The threat actor did not have access to external files stored in Salesforce such as contracts, order forms, or attachments customers may have sent through a case. Our third-party forensics firm has verified these findings.

Salesforce support cases may include the text of customer support tickets with Workday. While we advise customers not to include sensitive information (such as login credentials) in these cases, and the threat actor’s access was limited to a small subset, we are proactively searching all cases for any credentials.

As we finalize our search, we will directly notify customers if we find sensitive information specific to their cases.

Customers who have their own relationships with Drift should verify any individual impact based on how they use the app. 

WHAT SHOULD CUSTOMERS DO?

We recommend that customers continue to follow best practices to keep their tenants secure, including:

  • Regularly rotating credentials, and rotating in response to any security incident.

  • Never share credentials or other secrets in cases.

  • Require multi-factor authentication whereby individuals are required to complete additional steps after successfully entering a password. Instructions can be found here.

  • Require step-up authentication for sensitive task access when no multi-factor authentication is used for initial login with single sign on (SSO). Instructions can be found here.

  • Conduct awareness training that educates users how to identify phishing emails. Training should emphasize that passwords are typically not requested via email from third parties.

  • Perform regular phishing tests to help ensure understanding and compliance.

  • Monitor user activity and enable notifications on changes to sensitive information. Instructions can be found here.

Salesloft has published additional information and some security recommendations on their blog, which customers should review.

Your trust is our highest priority, and we sincerely apologize for the inconvenience this may cause. We are committed to being transparent about what occurred and to providing clear guidance so you can protect your organization.

Posted in:  Security and Trust

More Reading