Cushman & Wakefield — vishing-led Salesforce CRM breach, ShinyHunters dump
Real-estate services giant Cushman & Wakefield confirmed a vishing-driven Salesforce compromise; ShinyHunters published a 50GB archive of more than 500,000 records after a 6 May ransom deadline lapsed.
- Target
- Cushman & Wakefield — vishing-led Salesforce CRM breach, ShinyHunters dump
- Date public
- 5 May 2026
- Sector
- Professional Services
- Attack type
- Phishing
- Threat actor
- ShinyHunters (separate Qilin leak-site claim, no confirmed coalition)
- Severity
- High
- Region
- Global (US-headquartered)
ShinyHunters listed Cushman & Wakefield on its extortion portal on 1 May 2026, claiming theft of more than 500,000 Salesforce records containing personal information and other internal corporate data. Three days later, on 4 May, the Qilin ransomware operation separately listed Cushman & Wakefield on its own data-leak site. The two crews have no previously documented relationship; the dual claim appears to be coincidence rather than coordination.
On 5 May 2026 The Register reported that Cushman & Wakefield had confirmed the intrusion. The company’s statement to the publication called it “a limited data security incident due to vishing” — voice phishing of an employee — and said it had “activated our response protocols, including taking steps to contain the unauthorized activity and engaging third-party expert advisors.” The company did not confirm the ShinyHunters record counts or address the Qilin claim.
ShinyHunters set a final ransom deadline of 6 May 2026. The deadline passed without a deal, and the group subsequently published a 50GB archive on its leak portal. Cybernews, which reviewed the dataset, reported that the dump comprised Salesforce CRM records consistent with the original 500,000-plus claim.
The Cushman & Wakefield intrusion sits inside the wider ShinyHunters Salesforce-linked campaign already in this index via Salesloft/Drift, Carnival, Pitney Bowes, Medtronic, Vimeo/Anodot and Instructure/Canvas. The pattern across the cluster is consistent: phishing-compromised employee identity, pivot into a Salesforce CRM, bulk customer-record export, listing on the extortion portal, public dump on refusal. The Cushman & Wakefield variant adds vishing as the initial-access technique, which fits the same Scattered Spider / ShinyHunters tradecraft already documented in the ADT and Marks & Spencer intrusions.
A deep-dive will follow once the regulatory and customer-notification picture firms up, the Qilin claim is independently corroborated or dismissed, and the access chain from compromised employee account to bulk Salesforce export is publicly documented.