Cushman & Wakefield Got Phished by Phone—Then ShinyHunters Dumped 50GB of Salesforce Data When the Ransom Deadline Passed

The world's third largest commercial real estate broker just learned the hard way that one ringing phone can outrun every dollar of cybersecurity budget. On May 1, ShinyHunters phoned a Cushman & Wakefield employee, talked them into handing over access, and walked out with what the gang says is 500,000 Salesforce records. Five days later, when the May 6 ransom deadline passed without payment, the group started leaking a 50GB dataset.

The attack did not break a firewall. It broke a human.

A $9 Billion Real Estate Giant Caught by a Phone Call

Cushman & Wakefield manages 6.1 billion square feet of property worldwide. The firm reported $9.5 billion in revenue in 2024, employs roughly 52,000 people across 60 countries, and sits at number 271 on the Fortune 500. Its Salesforce instance holds leasing pipelines, broker contacts, building owner records, and a long history of internal correspondence about commercial property deals worth billions.

That instance is what ShinyHunters claims it took.

The company has confirmed only that there was "a limited data security incident due to vishing" and that "systems and operations continue to run normally." It will not confirm or deny what the gang says it stole. As of this week, the firm has also refused to publicly explain why two ransomware crews—ShinyHunters and Qilin—both took credit for the same breach within four days of each other.

The Voice on the Other End

Vishing is the spoken word cousin of the phishing email. An attacker calls an employee, pretends to be IT or a vendor or a colleague who urgently needs a password reset, and walks the target through a series of small "yeses" that end with the attacker holding valid credentials. ShinyHunters has been refining this technique for the entire 2025 to 2026 Salesforce campaign that has now claimed Adobe, Hallmark, Hims & Hers, McGraw-Hill, Vimeo, Zara, Canada Life, Carnival, Crunchyroll, and dozens of others.

The pattern is identical every time. The gang calls help desks or rank and file employees, gets them to "verify" their identity through a fake portal, captures the credentials, and uses them to authenticate to Salesforce as the legitimate user. Multi factor authentication does not stop it, because the attacker is sitting on the same login session the employee just opened.

Once inside, the data exfiltration is mechanical. Salesforce's own API gives an authenticated user the ability to query large objects in bulk. ShinyHunters runs the query, downloads the records, and disconnects. The company's network never sees malware because no malware was used.

What 500,000 Records Looks Like

The leaked dataset is 50GB of Salesforce formatted records. Cybernews reviewed early samples and reported that they include internal corporate data and personally identifiable information. The gang has not yet released a public field by field breakdown, but every prior Salesforce dump from this campaign has followed the same template: contact name, business email, phone, mailing address, account notes, support case history, and free text fields where employees typed whatever they thought was private.

For a commercial real estate firm, "free text fields" matter. They are where brokers store the terms of unsigned deals, the asking prices a building owner has not yet made public, the names of tenants quietly looking to relocate, and the email chains in which competing bidders revealed their walk away numbers. That information is worth more on the open market than any individual's home address.

It is also worth a great deal to anyone trying to send a convincing phishing email to a Cushman & Wakefield client. A spear phishing message that quotes the address of a building you are buying, the name of the broker handling the deal, and the exact close date is a message most people will trust enough to click.

Why Two Gangs Are Claiming the Same Hack

On May 1, ShinyHunters publicly named Cushman & Wakefield on its dark web extortion site. On May 4, Qilin—a separate ransomware operation believed to be Russia aligned—posted the same victim. Both have history with the same infrastructure, and both have at various points been linked to the loose criminal collective behind the broader Scattered Spider tag.

There are three possibilities, and the firm's refusal to clarify the dual claim is leaving outside researchers to guess at which it is:

• One actor performed the intrusion and sold or shared the data with a second.
• Two separate intrusions occurred and were discovered together.
• Qilin is claiming credit it does not deserve to boost its leak site reputation.

The dataset's appearance on ShinyHunters' site after the May 6 deadline, with no parallel leak from Qilin, suggests the first scenario is the likeliest. ShinyHunters has the data. Whether Qilin had it too matters less than the fact that it is now public.

The Email Connection Most Coverage Has Missed

Salesforce is, more than anything else, an inbox surface. The records that ShinyHunters has just published include the email addresses of Cushman & Wakefield's brokers, clients, vendors, and counterparties—plus enough context about each relationship to fake almost any future message between them.

The next phase of this breach will not be a ransom note. It will be a wave of business email compromise attempts aimed at the people whose contact details just went public, sent by attackers who now know exactly which broker is handling which property and which buyer is mid negotiation.

If you have a commercial real estate relationship with Cushman & Wakefield, assume that someone, somewhere, can now write a very convincing email pretending to be your broker. Wire transfer instructions in any email you receive over the next year should be confirmed by phone—using a number you already had, not the one in the message.

What This Means for Anyone With a Salesforce Tenant

ShinyHunters has now hit at least 18 major Salesforce customers in this campaign. The technical fix is well understood and Salesforce has been emailing customers about it for months: tighten the IP allowlist on connected apps, require certificate based authentication for the API, log out long lived sessions, and put a phishing resistant MFA factor in front of every account that can run a bulk export.

The human fix is harder. Vishing works because help desks are organized to be helpful. Every company running a Salesforce instance with sensitive data should have a written, drilled procedure for what happens when someone calls claiming to need credentials, and that procedure should make the answer "no" by default. The brokers, account managers, and customer service reps who handle those calls are the actual perimeter now. Cushman & Wakefield is just the latest reminder that the perimeter is currently losing.

How the Next 12 Months Will Play Out

The exposed records will move into criminal marketplaces within weeks. Spear phishing campaigns aimed at Cushman & Wakefield clients will appear within months. Class action filings on behalf of named individuals in the dataset are almost certain, following the same path that Vimeo, Adobe, and the dozen other 2025 victims have already walked. And the firm itself will face a question that every Salesforce breached company in this campaign has had to answer: at what point does a "limited" incident, repeated across an entire industry by the same gang using the same playbook, stop being limited?

Cushman & Wakefield is the 18th major name to learn that the answer arrives by phone.