The ShinyHunters cybercrime group has claimed it breached global real estate firm Cushman & Wakefield, alleging the theft of hundreds of thousands of records as part of an ongoing campaign targeting Salesforce environments.
According to the group’s post on its leak site, more than 500,000 records tied to the company’s Salesforce systems were accessed. The attackers claim the data includes personally identifiable information and internal corporate records, though no evidence has been publicly released to verify the claim.
The alleged breach follows a pattern seen in recent ShinyHunters activity, where organizations are listed on leak portals alongside “pay-or-leak” ultimatums. In this case, the group reportedly issued a short deadline, warning the company to make contact or risk public exposure of the data.
Cushman & Wakefield has not confirmed the incident at the time of reporting, and it remains unclear whether any systems were actually compromised or if data was exfiltrated. The absence of proof samples is consistent with some previous extortion attempts, where claims are used to pressure victims before verification.
The incident is linked to a broader campaign targeting organizations using Salesforce’s Experience Cloud platform. Security advisories indicate that attackers have been exploiting misconfigured environments, particularly public-facing portals with overly permissive guest access settings.
Rather than exploiting vulnerabilities in Salesforce itself, these attacks typically rely on configuration weaknesses or social engineering. Misconfigured access controls can allow unauthorized users to query and extract CRM data without authentication, depending on how systems are set up.
ShinyHunters has been associated with multiple high-profile data theft and extortion cases in 2026, frequently targeting SaaS platforms and cloud-based business systems. The group’s strategy often involves large-scale data extraction followed by public pressure campaigns designed to force ransom payments.
The Cushman & Wakefield claim reflects the continued expansion of these operations across industries, including real estate, finance, and technology. As investigations continue, the case highlights ongoing risks tied to cloud service configurations and the growing use of extortion tactics in data breach incidents.