Real estate services giant Cushman & Wakefield confirmed a data breach in early May 2026 after ShinyHunters claimed it had stolen more than 500,000 Salesforce records through a voice phishing — or vishing — attack that manipulated an employee into handing over login credentials. When ransom negotiations stalled, the group dumped a 50-gigabyte dataset publicly. Making matters worse, a second criminal group, Qilin, simultaneously listed Cushman & Wakefield on its own data leak site — leaving the company facing competing extortion claims from two separate threat actors.
How the Attack Happened
ShinyHunters claimed it compromised Cushman & Wakefield beginning on May 1, 2026, using vishing — a technique where attackers place phone calls to employees impersonating internal IT support or trusted vendors. In this case, the caller convinced an employee to provide Salesforce credentials or connect an attacker-controlled third-party tool to the company’s Salesforce environment.
Cushman & Wakefield confirmed the attack vector in a statement, acknowledging it “recently became aware of a limited data security incident due to vishing” and that it “activated response protocols, including taking steps to contain the unauthorized activity and engaging third-party expert advisors.”
The company described the incident as “limited” in scope — a characterization ShinyHunters rejected.
500,000 Salesforce Records, 50GB Leaked
ShinyHunters claimed the vishing-enabled access yielded over 500,000 Salesforce records containing PII and other internal corporate data. The group set a May 6 deadline for Cushman & Wakefield to make contact and negotiate.
When no contact was made by the deadline, ShinyHunters published the full dataset — a 50GB dump of Salesforce data pulled from one of the world’s largest commercial real estate firms. The leak contains customer and employee records, deal data, and internal business information from a company that manages properties and transactions worth hundreds of billions of dollars annually.
Qilin Stakes a Second Claim
Compounding Cushman & Wakefield’s crisis, Qilin — an increasingly aggressive ransomware-as-a-service group — separately listed the company on its data leak site on May 4, 2026, two days before ShinyHunters’ deadline expired. It remains unclear whether Qilin and ShinyHunters operated independently of each other or whether they shared an initial access point.
Dual claims on the same target are increasingly common in 2026 as initial access brokers sell footholds to multiple buyer groups simultaneously. The result for victims is compounded exposure: even if one group’s ransom demands are met, a second, independent threat actor may still publish or monetize the stolen data.
Vishing: The Attack Vector Reshaping Enterprise Security
The Cushman & Wakefield breach is part of a broader vishing campaign that security researchers have linked to ShinyHunters and related threat actors throughout 2025 and 2026. The group’s modus operandi:
- Research the target: Identify employees with access to high-value systems (Salesforce, AWS, identity providers)
- Spoof or impersonate: Call posing as internal IT, a known vendor, or a managed security provider
- Social engineer credentials: Convince the target to share credentials, approve an MFA push, or install a “support tool”
- Exfiltrate before detection: Pull data from Salesforce, cloud storage, or enterprise applications while the employee believes they are being helped
Salesforce’s centralized data model makes it an especially high-value target — a single set of credentials can expose CRM records, deal pipelines, customer PII, and internal communications across an entire enterprise.
Salesforce Accelerates Security Enforcement
In direct response to the wave of vishing attacks targeting its platform, Salesforce announced on May 6, 2026 that it would begin enforcing additional mandatory security controls starting June–August 2026. System administrators received email notifications outlining the timeline, which includes expanded multi-factor authentication requirements, new restrictions on third-party connected app permissions, and enhanced anomaly detection for bulk data exports.
What Organizations Should Do Now
The Cushman & Wakefield breach illustrates that even well-resourced enterprises are vulnerable to social engineering. Key mitigations:
- Zero-trust for support calls: Establish a policy that IT and security staff never ask for passwords or MFA codes via phone — and that employees should verify any such request through a separate, out-of-band channel
- Salesforce Connected App audits: Review all third-party applications with OAuth access to your Salesforce org and revoke anything that cannot be validated
- Bulk export alerts: Configure Salesforce Event Monitoring to alert on large-scale data exports immediately
- Vishing awareness training: Include realistic call simulations in security awareness programs — employees need to recognize the script that attackers use
- MFA everywhere: Ensure all Salesforce logins require phishing-resistant MFA (hardware keys or passkeys rather than SMS or authenticator push)
Cushman & Wakefield joins a growing roster of major enterprises — including Carnival Corporation and Instructure — where ShinyHunters leveraged social engineering rather than technical exploits to establish its initial foothold. The group’s pivot to vishing reflects a broader shift in the threat landscape: the weakest link is often a phone call, not a vulnerability.
