Cushman & Wakefield confirmed a vishing-related security breach after both ShinyHunters and Qilin listed the commercial real estate giant on their dark web leak sites, with ShinyHunters claiming it stole more than 500,000 Salesforce records.

Update – May 5th: Cushman & Wakefield confirmed to Cybernews it “recently became aware of a limited data security incident due to vishing,” but said its systems and operations continue to run normally.

Cybernews has also observed Cushman & Wakefield listed on the Qilin ransomware gang’s dark web leak site, dated May 4th.

The global real estate services firm was listed on ShinyHunters' victim blog on Sunday, alongside the ransomware gang’s typical pay-or-leak threats.

“Over 500K Salesforce records containing PII and other internal corporate data have been compromised,” the hackers wrote, without providing any proof samples of their handiwork.

The group gave Cushman & Wakefield three days to make contact and pay an undisclosed ransom demand, again following a fairly standard victim script.

“This is a final warning to reach out by 6 May 2026 before we leak along with several annoying (digital) problems that'll come your way,” the group threatens.

“Make the right decision, don't be the next headline,” it adds, with a "FINAL WARNING PAY OR LEAK" written in bright red.

Cushman & Wakefield told Cybernews that once it became aware of the intrusion, it "activated its response protocols, including steps to contain the unauthorized activity."

A spokesperson said the company also brought in "third-party expert advisors to support a comprehensive response.”

And although Cushman & Wakefield attributed the breach to a vishing attack, the spokesperson did not confirm ShinyHunters’ claims or the alleged theft of Salesforce data.

Second ransomware gang enters the picture

In a separate ransomware development, the Qilin gang appears to have also listed Cushman & Wakefield on its victim blog, as observed by Cybernews.

However, the Qilin post, dated Monday, May 4th, provides even less detail than the ShinyHunters post, leaving out proof samples or a separate data claim.

Also notably absent from the Cushman & Wakefield entry is a “Time till publication” countdown clock, a tactic commonly used by the cybercriminals to pressure victims into paying a ransom.

Although rare, it’s not unheard of for rival ransomware gangs to pile onto the same high-profile victim.

In 2023, multiple ransomware gangs claimed responsibility for devastating attacks on two California cities, Oakland and Modesto.

Infamous ransom gangs Snatch and Play claimed responsibility for the California attacks, and yet another Russian-linked group, LockBit, tried to cash in, later leaking files after officials refused to pay.

For now, Qilin’s Cushman & Wakefield listing does not include enough information to determine whether it is connected to the ShinyHunters claim.

Qilin ranked among the most active ransomware groups in 2025, making the Cushman & Wakefield listing a notable escalation. Cybernews will update this story if new information becomes available.

Real estate giant pulled into ransomware playbook

Headquartered in Chicago, Cushman & Wakefield serves thousands of high-profile companies, including a large residential investor client base, managing roughly 5,100 million sq ft of space and 144,000 multi-unit properties across the US.

The Fortune 500 firm has more than 400 offices in over 60 countries and employs about 52,000 professionals worldwide, according to its website.

With total revenue of $10.3 billion in 2025, Cushman & Wakefield is considered one of the global “big four” commercial real estate and investment management companies, alongside CBRE, JLL, and Colliers International.

Although not related to ShinyHunters, several ransomware attacks on other major commercial real estate firms surfaced last May, including the international global real estate network RE/MAX and Landmark Properties, one of the largest student housing developers in the US.

Those attacks were claimed by the Medusa ransomware gang and the Morpheus extortion group, respectively.

Salesforce campaign expands across industries

ShinyHunters has been ramping up its attack claims since early March, in what appears to be a continuation of its 2025 Salesloft Drift/Salesforce hacking campaign targeting users of the widely used cloud-based enterprise customer relationship management (CRM) platform.

In February, the Google Threat Intelligence Group (GTIG) identified the latest surge as “a significant expansion and escalation in the operations” for the notorious extortionist group, which has claimed about 700 companies and counting.

ShinyHunters is known for its sophisticated social engineering and phishing attacks, including a spate of documented vishing attacks in which the hackers often trick employees into handing over their login credentials to third-party systems.

The group’s multiple high-profile breaches and large-scale data theft operations also include a recent Okta vishing campaign targeting single sign-on (SSO) credentials.

Okta, an identity and access management (IAM) platform, published details about the ShinyHunters attack back in January, warning that attackers were also targeting SSO credentials tied to Microsoft and Google environments.

Also on Sunday, the hackers claimed to have breached Canvas, one of the leading educational platforms used by millions of students worldwide – also via its Salesforce instance.

ShinyHunters claims to have stolen more than 3.65TB of data linked to a massive 275 million students from the learning platform, including billions of private student messages and records.

In the past several weeks, the extortionists also claimed breaches and leaked data tied to Udemy, Mytheresa, Zara, 7-Eleven, Carnival cruise lines, and Alert 360 home security company.

Other recent victims include Hims & Hers telehealth platform, Hallmark, CarGurus, the European Commission, Ameriprise Financial, and dating sites Bumble, Hinge, Match, and OkCupid, among dozens more.

---

Unlock more exclusive Cybernews content on YouTube.