Global commercial real estate services giant Cushman & Wakefield Inc. has been added to the ShinyHunters extortion leak site, with the threat group claiming exfiltration of more than 500,000 Salesforce records containing personally identifiable information and internal corporate data. The disclosure, surfaced on 2026-05-03, includes a "FINAL WARNING" demanding the company respond by 6 May 2026 before the dataset is published.

What Happened

On 2026-05-03, the ShinyHunters extortion crew listed Cushman & Wakefield Inc. as a victim on their leak portal, asserting that they had successfully exfiltrated a substantial trove of Salesforce CRM data from the firm. According to the listing, the breach window aligns with the discovery timestamp of 2026-05-03T03:25:36 UTC, suggesting the actor moved directly from data theft to public extortion with minimal dwell. The group is threatening publication of the stolen archive within approximately 72 hours unless the victim engages in negotiation, and has hinted at "annoying digital problems" for non compliance, language consistent with secondary harassment campaigns the actor has run against prior victims.

Cushman & Wakefield, headquartered in Chicago and operating across more than 60 countries, sits in the Business Services sector and handles a significant volume of tenant, landlord, investor and corporate client data through Salesforce as its customer relationship platform.

What Was Taken

ShinyHunters claims the dataset includes:

While full schema details have not been published, Salesforce CRM exports of this scale typically contain client contact information, account ownership details, deal pipeline data, internal notes, and integration metadata that can expose downstream systems. For a commercial real estate firm, this category of data also carries elevated sensitivity given the mix of high net worth investors, institutional landlords and corporate tenant relationships represented.

Why It Matters

This incident is the latest in a sustained ShinyHunters campaign targeting Salesforce tenants, a pattern that has dominated the group's activity throughout 2025 and into 2026. For defenders, the Cushman & Wakefield disclosure reinforces three uncomfortable trends:

  1. SaaS platforms, not on premises infrastructure, are now the primary plunder ground for high volume PII theft.
  2. Real estate and professional services firms are being treated as soft, data rich targets relative to their security maturity.
  3. ShinyHunters is operating on extremely compressed extortion timelines (three days from listing to leak in this case), giving incident response teams almost no runway to triage, validate or negotiate.

The downstream blast radius is also notable. Cushman & Wakefield's CRM almost certainly contains contact records for executives, asset managers and procurement leads at thousands of other organizations, creating a high quality target list for follow on phishing, business email compromise and supply chain pivoting.

The Attack Technique

While Cushman & Wakefield has not publicly attributed an initial access vector, ShinyHunters' recent Salesforce focused operations have consistently leveraged the same tradecraft pattern: voice phishing (vishing) of help desk or sales operations staff, followed by social engineering victims into authorizing a malicious connected app (often a modified Data Loader or OAuth integration) into the target Salesforce tenant. Once authorized, the actor uses the connected app's API access to bulk export objects (Accounts, Contacts, Leads, Opportunities, Cases) at speed before tokens are revoked.

This vector bypasses traditional endpoint and network controls entirely, since exfiltration happens through legitimate Salesforce APIs from attacker controlled infrastructure using a sanctioned OAuth grant. Detection typically depends on Salesforce Event Monitoring, anomalous Bulk API usage, or out of pattern connected app installations.

What Organizations Should Do

  1. Audit Salesforce connected apps immediately. Inventory every authorized OAuth integration, revoke any that are unrecognized, unused, or installed outside of a change control window, and restrict who can install new connected apps to a small admin group.
  2. Enforce IP and login restrictions on Salesforce. Apply login IP ranges, require SSO with phishing resistant MFA (FIDO2 / WebAuthn), and disable legacy authentication paths for API users.
  3. Turn on Salesforce Shield Event Monitoring (or equivalent transaction logging) and alert on Bulk API queries exceeding normal baselines, especially against Account, Contact and Lead objects.
  4. Harden the help desk against vishing. Require callback verification, scripted identity proofing, and approval workflows before resetting MFA or granting elevated access. ShinyHunters' entry point is almost always a human, not a vulnerability.
  5. Brief executives and clients proactively if your organization is in the Cushman & Wakefield tenant or vendor universe. Expect targeted phishing referencing real lease, transaction, or account details over the coming weeks.
  6. Pre stage an extortion playbook. With actors moving from intrusion to public leak in days, legal, communications, and IR decision trees must already be approved, not drafted under duress.

Sources: Ransomware Group shinyhunters Hits: Cushman and Wakefield Inc.