Cushman & Wakefield, one of the world’s largest commercial real estate services firms, confirmed a cyber incident in early May 2026 after both ShinyHunters and Qilin ransomware separately listed the company on their dark web leak sites within days of each other. ShinyHunters claimed to have stolen over 500,000 Salesforce records containing personal identifying information and internal corporate data, setting a ransom deadline of May 6, 2026. When the deadline passed unmet, ShinyHunters published a 50GB dataset from the breach on a hacker forum, with the 50GB file confirmed as published by May 9, 2026.
Cushman & Wakefield described the incident as a “limited data security incident due to vishing” — a voice phishing attack that social-engineered employees into surrendering credentials. The firm stated its systems and operations continue to run normally.
The Vishing Attack Vector Behind the Salesforce Record Theft
Vishing — voice-based phishing — involves attackers calling employees while impersonating IT support, security teams, or executive personnel to extract login credentials, authentication codes, or convince targets to approve multi-factor authentication prompts.
ShinyHunters claimed the breach originated on May 1, 2026. The confirmed vishing vector makes this incident consistent with a growing pattern of threat actors investing in social engineering to gain initial access to enterprise SaaS platforms — particularly those protected by MFA that blocks credential-stuffing but remains vulnerable to real-time conversational pressure.
Why MFA Does Not Prevent Vishing-Based SaaS Compromise
Vishing’s effectiveness against MFA-hardened environments comes from exploiting the human layer rather than technical authentication controls. An attacker calling while posing as an IT support technician can convince an employee to read back a one-time passcode, approve an MFA push notification on their phone, or navigate to a credential-harvesting page while on the call. In all cases, the multi-factor authentication system behaves as designed — the human approved it — while the attacker gains authenticated session access to corporate SaaS infrastructure.
The Salesforce platform specifically is a high-value vishing target because it concentrates extensive business data, customer records, and internal workflows in a single cloud-accessible application that employees regularly access remotely.
ShinyHunters and Qilin Ransomware List Cushman & Wakefield on Separate Leak Sites Within Three Days
An unusual characteristic of this incident is the simultaneous listing by two distinct threat actor groups on separate dark web infrastructure.
Why Qilin’s Independent Listing Three Days After ShinyHunters Complicates Attribution
ShinyHunters listed Cushman & Wakefield on its dark web extortion site with a May 1, 2026 breach date and 500,000+ Salesforce record claim. Qilin ransomware separately listed the same company on its own dark web leak site dated May 4, 2026 — three days later. The two groups’ simultaneous presence on the same victim suggests either coordinated access, opportunistic secondary exploitation of an initial foothold first established by one actor, or that the vishing-obtained credentials were sold within criminal marketplace ecosystems before either group published their claims.
What 500,000 Salesforce Records from a Global Real Estate Firm Contains
Cushman & Wakefield operates in over 60 countries and manages commercial real estate transactions, facility management contracts, and investment advisory services for major corporations, institutional investors, and government entities. Its Salesforce environment likely contains client contact data, transaction records, property management workflow data, corporate correspondence, and financial information relevant to major real estate deals — data of significant intelligence and fraud value.
The 50GB dataset published by ShinyHunters after the ransom deadline represents a confirmed data leak regardless of any ongoing negotiations with Qilin. Cushman & Wakefield clients whose data may be included in the Salesforce export should anticipate targeted phishing and social engineering attempts leveraging the leaked contact and transactional information, as breach data from this type of release is typically circulated across multiple criminal forums following initial publication.
