The ShinyHunters cybercrime group has published what it claims is a massive Salesforce-linked dataset stolen from commercial real estate giant Cushman & Wakefield after alleged ransom negotiations collapsed.
According to posts published on the group’s dark web leak site, the attackers claim they compromised more than 500,000 Salesforce records containing personally identifiable information and internal corporate data tied to the company. ShinyHunters says the leaked archive is approximately 50GB in size.
The group first listed Cushman & Wakefield as a victim earlier this month and issued a deadline demanding the company negotiate before the data was released publicly. After the deadline passed, ShinyHunters updated its leak page with download links for the alleged dataset.
Cushman & Wakefield previously confirmed it experienced what it described as a “limited” security incident caused by a vishing attack, though the company did not verify the hackers’ claims regarding Salesforce data theft or the size of the alleged breach. The firm said it activated incident response procedures and brought in external cybersecurity specialists to investigate.
Researchers are still analyzing the leaked files to determine exactly what information may have been exposed. Early reports suggest the archive could contain customer records, internal business information, and potentially sensitive corporate communications tied to Salesforce systems.
The incident appears linked to ShinyHunters’ broader campaign targeting cloud and SaaS platforms through social engineering attacks. Security researchers and Google threat analysts previously warned that the group increasingly relies on voice phishing operations to trick employees into handing over credentials and multi-factor authentication codes.
In several recent incidents, attackers reportedly impersonated IT staff and directed employees to fake login portals designed to capture enterprise credentials. Once inside, the threat actors focused heavily on cloud-based platforms, including Salesforce, Okta, Microsoft 365, and Google Workspace.
The Cushman & Wakefield leak is part of a growing series of ShinyHunters-linked extortion incidents involving Salesforce environments. Multiple companies have recently appeared on the group’s leak site after attackers claimed to have stolen large volumes of customer and internal business data from cloud-connected systems.
Complicating the situation further, another ransomware group known as Qilin also listed Cushman & Wakefield on its own leak site days after the ShinyHunters claim emerged. However, Qilin did not publish supporting evidence or additional details, and researchers say there is currently no confirmed connection between the two groups.
Cybersecurity experts warn that leaked Salesforce datasets can create significant risks because they often contain detailed customer records, contact information, sales pipelines, contracts, and internal communications. Even if financial information is absent, attackers can still use exposed business data for phishing campaigns, fraud, impersonation attacks, and follow-on social engineering operations.
The incident also highlights growing concerns around SaaS security and cloud-based identity systems. Rather than breaching traditional on-premise infrastructure, modern cybercriminal groups increasingly target employee credentials and cloud platforms that centralize access to sensitive enterprise data.
At this stage, the full scope of the alleged Cushman & Wakefield leak remains unclear, and independent verification of the published dataset is still ongoing.