Workday CRM breach amplifies fears of an alliance between ShinyHunters and Scattered Spider
Cybercrime supergroup feared to be using sophisticated social engineering techniques in joint attacks against big-name victims.
The cloud HR software giant Workday has disclosed a data breach which bears the fingerprints of threat actors linked to two of the world's most prominent cybercrime gangs.
Workday admitted it had fallen victim to a social engineering campaign, which enabled threat actors to access "some" information from its third-party CRM platform - which it did not name.
Crooks contacted employees via phone or text messages, posing as IT and human resources staff in order to trick victims into "giving up account access or their personal information", the company said.
"We recently identified that Workday had been targeted and threat actors were able to access some information from our third-party CRM platform," the company wrote. "There is no indication of access to customer tenants or the data within them. We acted quickly to cut the access and have added extra safeguards to protect against similar incidents in the future.
"The type of information the actor obtained was primarily commonly available business contact information, like names, email addresses, and phone numbers, potentially to further their social engineering scams.
"It’s important to remember that Workday will never contact anyone by phone to request a password or any other secure details. All official communications from Workday come through our trusted support channels."
SpiderHunters spinning a web of deceit
The attack came just days after security researchers warned that a hacking group called ShinyHunters had reactivated after a year of inactivity and may have formed a shadowy alliance with Scattered Spider, the gang blamed for a number of attacks on prominent British High Street brands.
ReliaQuest reported that a user called "Sp1d3rhunters" linked to a past ShinyHunters breach is currently active on the dark web hacking forum and marketplace BreachForums.
Also tracked as UNC6040, ShinyHunters is a financially motivated group that is known for credential theft and database exploitation, whereas the English-speaking Scattered Spider gang is infamous for its social engineering skill, including the manipulation of helpdesk systems, as well as registering impersonation domains to enable phishing attacks.
Both groups have targeted the same sectors during "overlapping timeframes, hitting retail between April and May 2025, insurance from June to July and ending the summer by blasting aviation between June and August.
While ShinyHunters previously struck sporadically and aimed at one target at a time, recent multi-sector activity mirroring Scattered Spider’s timing and focus suggests joint operations are underway.
Don't get conned by The Com...
ReliaQuest said both organisations were part of a wider group called The Com (short for The Community), which is "a sprawling network of disparate sub-groups and cliques that engage in account takeover activity, SIM-swapping, cryptocurrency theft, swotting, and sextortion".
"Some sub-groups have even engaged in more extreme activities like 'violence for hire' and coercing individuals into self-harm," it wrote.
"The Com is likely predominantly made up of technically savvy English-speaking teenagers and young adults, capable of diverse techniques to compromise complex hybrid environments and motivated by making money, humiliating their foes, and causing as much disruption as possible."
READ MORE: Russian hackers hijacked a Norwegian dam, opened literal and metaphorical floodgates
ReliaQuest has observed ShinyHunters adopting "Scattered Spider's signature moves", including:
- Targeted vishing attacks which impersonate IT support to pressure employees into approving malicious “connected apps.”
- The use of fake business tools to steal sensitive corporate data.
- VPN obfuscation with Mullvad VPN to exfiltrate data.
- The deployment of fake Okta-themed phishing sites during vishing calls to harvest login credentials.
"These tactics align closely with Scattered Spider’s trademark methods and those of the broader collective, The Com, fueling speculation about active collaboration between the groups," ReliaQuest warned.
A threat actor on Telegram using the alias "Sp1d3rhunters" has also reportedly claimed the two groups "are the same" and "have always been the same".
ReliaQuest continued: "This Sp1d3rhunters alias, cleverly combining the two groups’ names, also appeared on BreachForums under an account created in May 2024. Two months later, the account leaked data connected to the breach [of a prominent ticketing company] - a data leak previously advertised by ShinyHunters.
"If these connections are legitimate, they suggest that collaboration or overlap between ShinyHunters and Scattered Spider may have been ongoing for more than a year."
Google searches for answers after a data breach
Google's Threat Intelligence Group (GTIG) backed up this warning and revealed that one of its corporate CRM instances was impacted by activity resembling the modus operandi of ShinyHunters.
The CRM instance was used to store contact information and related notes for small and medium businesses. A threat actor accessed data "during a small window of time" before being locked out.
This data was confined to basic and largely publicly available business information, such as business names and contact details.
Google researchers wrote: " GTIG has observed infrastructure across various intrusions that shares characteristics with elements previously linked to UNC6040 and threat groups suspected of ties to the broader, loosely organized collective known as 'The Com'.
"We’ve also observed overlapping tactics, techniques, and procedures (TTPs)... It's plausible that these similarities stem from associated actors operating within the same communities, rather than indicating a direct operational relationship between the threat actors."
A summer of cybercrime
The incident is yet another grim reminder of the growing threat posed by cybercriminals, coming after a long, sultry summer of breaches and attacks.
Pat Larkin, President of Ekco Security, said: “The Workday breach is just the latest example showing that this summer’s cyberattacks aren’t easing off. Attackers continue to target users whether internal or in the supply chain - because it works.
"The end user and your supply chain are often the weakest links, and that’s exactly what threat actors exploit."
The human element is a well-known cybersecurity vulnerability that is very difficult - if not impossible - to plug. Although threat actors are using new technology and advanced tactics, they often rely on the oldest tricks in the book to scam victims and steal the data they need to extend their attacks.
Richard Orange, VP EMEA, Abnormal AI, warned: "Workday’s disclosure ties back to reality that the most high profile and damaging breaches of the last 18 months in terms of reputational impact and financial loss, have come as a result of attacks that stem from the attackers ability to manipulate people via social engineering, not via software vulnerabilities.
READ MORE: Dark web Initial Access Brokers are selling hacked network access for as little as $500, study reveals
"The exposure of business contact information will provide attackers with the raw materials to launch convincing follow-on phishing, vishing, or business email compromise campaigns. Attackers leverage the data and combine it with bad AI to create hyper realistic attacks that are hard to detect by the human eye.
"Stopping social engineering isn’t just a technical issue, it’s a cultural one. That’s why employee awareness is critical. Organisations need to ensure their people are trained to recognise and report suspicious requests, particularly those that pressure them to approve third-party applications or share credentials.
Equally important is implementing layered defences like least-privilege access controls and anomaly detection. You can’t always rely on employees as a safety net for security. As attackers grow more sophisticated, technical controls must be combined with strong employee education to prevent social engineering."
Dray Agha, senior manager of security operations at Huntress, also offered three "non-negotiable defences" to help organisations stay safe.
"A huge number of attacks begin with social engineering, users being deceived, and user enrollment in the execution of malware," Agha said. "Effective security awareness training is a must for any organisation that wishes to repudiate cyber attacks
"Eliminate OAuth blind spots, enforce strict allow-listing for third-party app integrations, and review connections at a regular interval.
"Adopt phishing-resistant MFA: Hardware tokens are essential, as 'MFA fatigue' attacks remain trivial."
MFA fatigue (also called MFA bombing or spamming) is a type of social engineering attack in which attackers flood a user with repeated multi-factor authentication requests. The aim is to wear the user down until they approve one by mistake or frustration, giving the attacker account access.
Defending against social engineering attacks
Boris Cipot, senior security engineer at Black Duck, shared the following guidance on how to deal with attacks that exploit human weaknesses.
He said: "Social engineering is a manipulative attack method that relies on psychology and social interaction skills to deceive victims into releasing sensitive information. Attackers trick victims into performing actions that aid in gaining access to sensitive information, often requiring multiple interactions and 'internal' information to appear legitimate.
"To protect against social engineering, organisations should establish and enforce strict procedures for handling sensitive information, such as not providing information over the phone, even to high-ranking executives, including the CEO. Employees should be aware of these procedures and understand that they will not be penalised for refusing to provide information or assist someone impersonating a superior.
"The victims of the data breach should be careful. Workday should remain cautious and be aware of potential scams, phishing attacks, and social engineering techniques. Although the breached information may be limited to commonly known business data in this case, individuals should still be vigilant to avoid falling prey to further attacks."
