VYPR
breachPublished May 5, 2026· Updated May 17, 2026· 1 source

Cushman & Wakefield Confirms Data Breach Following Vishing Attack

Real estate giant Cushman & Wakefield is investigating a data breach after being targeted by both the ShinyHunters and Qilin cybercrime groups following a successful vishing attack.

Real estate services firm Cushman & Wakefield has confirmed a data security incident resulting from a vishing attack. The company activated its incident response protocols, engaged third-party experts, and initiated containment measures after becoming aware of the unauthorized activity The Register. While the firm characterized the breach as "limited" in scope, the incident has drawn the attention of two prominent cybercrime syndicates: ShinyHunters and Qilin The Register.

The initial point of compromise was identified as vishing, or voice phishing, where an employee was reportedly socially engineered to facilitate unauthorized access The Register. ShinyHunters, which operates under a pay-or-leak extortion model, claimed to have executed their portion of the attack on May 1. The group alleges that the breach resulted in the theft of over 500,000 Salesforce records, which reportedly contain personally identifiable information (PII) and internal corporate data The Register.

The situation is complicated by the simultaneous involvement of the ransomware group Qilin, which listed Cushman & Wakefield on its own data leak site on May 4 The Register. Qilin is currently considered one of the most prolific ransomware operators globally, though the group has not disclosed the specific methods used in their alleged compromise of the firm. There is no evidence of a partnership between the two groups, suggesting the company was targeted by two independent, coincidentally timed attacks The Register.

Cushman & Wakefield has maintained that its systems and operations continue to function normally despite the claims. ShinyHunters had set a deadline of May 6 for the company to initiate contact to prevent the release of the stolen data, though the group reported that no such contact had been made as of the time of their statement The Register.

This incident follows a period of heightened activity for ShinyHunters, which has been linked to a series of high-profile breaches since March 2026. The group previously claimed responsibility for a supply chain attack involving Salesforce that allegedly impacted more than 100 high-profile customers. Other major organizations, including ADT, Carnival Cruise Line, Rockstar Games, and Vimeo, have also recently confirmed security incidents involving the group The Register.

The dual targeting of a single entity by two distinct threat actors highlights the increasing frequency of opportunistic and multi-pronged extortion attempts against large corporations. As organizations continue to rely on cloud-based CRM platforms like Salesforce, they remain prime targets for groups capable of exploiting both technical vulnerabilities and human-centric attack vectors like vishing. Security teams are now tasked with managing the fallout of these concurrent threats while investigating the full extent of the data exposure The Register.

Synthesized by Vypr AI
Cushman & Wakefield Confirms Data Breach Following Vishing Attack · VYPR