ShinyHunters leaks Cushman & Wakefield Salesforce dataset after failed negotiations

Published: 8 May 2026
Last updated: 11 May 2026
Cushman & Wakefield logo
Image by Tupungato | Shutterstock

ShinyHunters has leaked a massive Salesforce-linked dataset allegedly tied to commercial real estate giant Cushman & Wakefield – claiming ransom negotiations with the company have failed.

Key takeaways:
  • ShinyHunters says it published a 50GB Cushman & Wakefield dataset after failed ransom negotiations.
  • The alleged Salesforce-linked data cache is still being downloaded and examined by Cybernews researchers.
  • The leak marks another escalation in ShinyHunters’ expanding campaign targeting major global brands.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.

The notorious ransomware gang updated its dark leak site on Friday with a downloadable data archive tied to Cushman & Wakefield, stating the “Big 4” real estate giant “failed to reach an agreement” despite the cybercriminals’ “incredible patience.”

ADVERTISEMENT

“Over 500k Salesforce records containing PII and other internal corporate data have been compromised,” the hackers wrote in the updated post.

ShinyHunters Cushman & Wakefield leak
ShinyHunters dumps Cushman & Wakefield dataset on May 7th after claiming ransom negotiations failed. ShinyHunters leak site. Image by Cybernews

The ransomware gang also says it gave Cushman & Wakefield “all the chances and offers we made,” adding that the company simply “don’t care.”

“This is a final warning to reach out by 6 May 2026 before we leak along with several annoying (digital) problems that'll come your way,” the group threatened in its previous victim post.

ShinyHunters claim ransom talks collapsed

The latest development marks another escalation in ShinyHunters' extortion spree targeting Salesforce environments and cloud-linked enterprise systems, including Okta, Microsoft 365, and Google Workspace.

Earlier this week, Cushman & Wakefield confirmed to Cybernews that it “recently became aware of a limited data security incident due to vishing,” although it did not confirm ShinyHunters’ claims or the alleged theft of Salesforce data.

Upon discovering the intrusion, the company said it activated response protocols and brought in third-party experts to investigate, adding that "operations continue to run normally."

ADVERTISEMENT

Meanwhile, another ransomware gang, Qilin, also listed Cushman & Wakefield on its dark victim blog a few days later, although no additional proof samples or data claims were provided, and the entry has not been updated since.

Qilin ransomware post Cushman & Wakefield
The Qilin ransomware gang also claimed Cushman & Wakefield on its leak site on May 4, 2026. Image by Cybernews

As for the leaked Cushman & Wakefield dataset, its appears to be about 50 GB in size, said Cybernews researchers who began downloading the files Friday morning.

ShinyHunters’ leaked datasets are typically uploaded as compressed zip files, meaning researchers are unable to immediately inspect the contents without fully downloading the cache first, Cybernews researcher Rasa Jurgutyte said.

“It’s the same thing with this one as well,” Jurgutyte said, noting the Cushman & Wakefield dataset appears to have been uploaded to the gang’s leak infrastructure on Thursday. As with all ShinyHunters leak links, the file is aptly named "shouldve_paid_the_ransom" followed by the company name.

ShinyHunters Cushman & Wakefield leak link
ShinyHunters Cushman & Wakefield leak link. Image by Cybernews

Researchers begin downloading 50GB dataset

Cybernews researchers are continuing to download and examine the files to determine what information may be included in the alleged leak.

According to Jurgutyte, download speeds can vary significantly depending on both internet connectivity and the level of traffic occurring on the cybercriminals’ servers at any given moment.

“If there’s a ton of requests going in, the server is gonna have a harder time handling everything,” she explained, also pointing out the ongoing ShinyHunters cyberattack on Canvas e-learning platform.

ADVERTISEMENT
Canvas ransomware attack
Canvas E-learning platform is hacked by ShinyHunters. Image by Cybernews.

The Canvas by Instructure attack – which allegedly involves more than 3.65TB of stolen data – including 275 million communications between students and faculty members at roughly 9,000 schools worldwide – caused the education platform to go offline on Thursday, causing chaos among students preparing for final exams.

The unusually slow download speeds observed on Friday could indicate heavy interest in the Canvas dataset from other users attempting to access the files, although researchers cautioned this remains speculative.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

In the Canvas incident, ShinyHunters claimed that ransom negotiations with Instructure had also broken down, forcing the group to turn to extorting individual schools, which were given until May 12th to contact the cybercriminal group and negotiate a ransom demand.

Cybernews will update this story as our research team continues downloading and analyzing the data.

Data leak research job ad

Unlock more exclusive Cybernews content on YouTube.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT