One Phone Call Destroyed Cushman & Wakefield: The 500,000-Record Vishing Attack Nobody Is Talking About

A single phone call gave hackers access to one of the world’s largest commercial real estate companies — and when the company refused to pay, the attackers dumped 50 gigabytes of sensitive data on the internet. The Cushman & Wakefield vishing attack of 2026 is one of the most instructive cybersecurity incidents of the year, and it’s receiving far less coverage than it deserves. Not because it’s small — 500,000 Salesforce records containing personally identifiable information is a massive breach — but because vishing attacks feel low-tech in a world obsessed with sophisticated zero-days. That’s exactly the problem.

Cushman & Wakefield, a global commercial real estate services firm with $9.5 billion in annual revenue and operations in 60 countries, confirmed the breach in early May 2026. The company acknowledged that “a limited data security incident due to vishing” had occurred and that it had “activated response protocols.” The language was careful and minimizing. The reality was anything but: ShinyHunters had taken 500,000 records and was sitting on them, waiting for payment.

What Happened: One Phone Call, 500,000 Records

The Cushman & Wakefield vishing attack followed a pattern that’s become disturbingly common in 2026: a criminal caller impersonated a trusted source — likely an IT support technician or helpdesk representative — and convinced a Cushman & Wakefield employee to provide credentials or take actions that gave the attacker access to the company’s Salesforce instance.

Vishing (voice phishing) attacks rely on social engineering rather than technical exploitation. There’s no CVE to patch, no exploit to detect — just a human being manipulated into doing something they shouldn’t. In Cushman & Wakefield’s case, the result of that single call was access to more than 500,000 Salesforce records containing customer and employee PII, internal corporate data, and client information spanning the company’s global real estate operations.

ShinyHunters claimed initial access to the data on May 1, 2026, and immediately began extortion proceedings. They issued a ransom demand with a deadline of May 6, 2026. When negotiations broke down and the deadline passed without payment, the group published the full 50GB dataset publicly on their leak site — meaning the data is now freely accessible to anyone who knows where to look.

The scale of the exposure is significant. Cushman & Wakefield’s Salesforce instance contained data from major corporate clients — companies that trusted Cushman & Wakefield with information about their real estate portfolios, lease agreements, and business locations. That data is now in the wild, and the downstream risks are difficult to fully assess.

Who Are ShinyHunters? The Group Behind the Cushman Breach

ShinyHunters is one of the most prolific data theft and extortion groups operating today. The group gained notoriety beginning in 2020 with a series of high-profile database breaches, and has evolved into a sophisticated operation that combines technical attacks, social engineering, and systematic extortion. Their victims over the years have included Tokopedia, Wattpad, Microsoft, and dozens of smaller organizations.

What makes ShinyHunters distinctive in 2026 is their strategic patience. Unlike ransomware-as-a-service operations that encrypt systems and demand immediate payment, ShinyHunters primarily focuses on data exfiltration and controlled leak threats. They take the data, establish that they have it, make contact, negotiate, and only release if negotiations fail. This approach is more methodical and arguably more professionally executed than typical ransomware operations.

The group is also known for maintaining active communication during extortion negotiations — they’re not anonymous threat actors who disappear after posting on dark web forums. They engage, they negotiate, and they follow through on threats when negotiations fail. Cushman & Wakefield discovered that follow-through firsthand.

Vishing: The Attack Vector Every Security Team Underestimates

Vishing — voice phishing — is the use of phone calls to manipulate targets into revealing credentials, approving unauthorized access, or taking actions that compromise security. It’s one of the oldest social engineering techniques, but in 2026 it’s more dangerous than ever for three specific reasons.

AI voice cloning has made vishing trivially convincing. Modern AI voice synthesis can clone a person’s voice from a few minutes of audio — audio that’s often publicly available from LinkedIn videos, conference talks, or corporate communications. An attacker calling your helpdesk can now convincingly impersonate your CEO, your IT director, or a trusted vendor contact. The Cushman & Wakefield attack may or may not have used AI voice cloning — the company hasn’t disclosed — but the capability is real and widely available. As Mandiant’s M-Trends 2026 report documented, AI-assisted attacks are becoming the norm rather than the exception.

Remote work has weakened verification culture. In-person environments create informal verification mechanisms: if someone calls claiming to be from IT, you can physically walk to the IT department to verify. In remote and hybrid environments, all verification happens through digital channels — and those channels can be spoofed or compromised. This is why so many high-profile vishing attacks have succeeded in 2023-2026: the social trust fabric that informal verification relied on is gone.

Helpdesk employees are specifically targeted and undertrained. Attackers know that helpdesk and IT support staff are trained to be helpful — that’s their job. They’re also often undertrained on social engineering resistance. The combination creates a predictable attack path: call helpdesk, establish urgency, exploit the desire to be helpful, obtain access. Cushman & Wakefield is far from alone in having this vulnerability.

The solution isn’t to make helpdesk staff suspicious of everyone — it’s to implement verification protocols that don’t rely on voice recognition or caller ID. Callback verification (hang up and call the number on file), out-of-band authentication (verify via a separate authenticated channel), and strict policies on credential resets and account access over the phone are all effective countermeasures that remain widely unimplemented.

The 50GB Data Dump: What Was Actually Exposed

When ShinyHunters published the 50GB Cushman & Wakefield dataset after ransom negotiations failed, they exposed a comprehensive view of one of the world’s largest commercial real estate companies. According to analysis of the published data by cybersecurity researchers:

• Customer PII: Names, email addresses, phone numbers, and postal addresses of corporate clients across multiple markets
• Internal corporate data: Deal information, commission records, property management details
• Employee information: HR records, contact details, organizational structure data
• Client operational data: Lease information, property portfolios, and transaction history for major corporate clients

For Cushman & Wakefield’s clients — which include many of the world’s largest corporations — the exposure of their real estate and location data creates a range of downstream risks. Corporate real estate data can reveal expansion plans, workforce strategies, and operational priorities that companies consider highly sensitive. The breach effectively gave anyone who downloaded the data a window into the real estate operations of Cushman & Wakefield’s entire client base.

The Qilin Ransomware Angle: A Second Group Claims the Same Victim

In an unusual development, a second ransomware group — Qilin — also listed Cushman & Wakefield on its victim blog in early May 2026, just days after ShinyHunters’ initial claim. Qilin’s posting provided no proof samples and no specific data claims, leading cybersecurity researchers to suspect opportunistic listing rather than an independent breach.

Opportunistic listing is a known tactic in the ransomware ecosystem: once a breach becomes public knowledge, other groups sometimes claim the same victim to generate attention or create confusion about the severity of the incident. Whether Qilin actually had access to Cushman & Wakefield’s systems independently, or whether they were simply trying to amplify the pressure on the company, isn’t clear from available information.

What is clear is that once a company appears on ransomware group leak sites, it becomes a target for multiple actors simultaneously. The Cushman & Wakefield incident illustrates why breach response needs to account for the possibility of parallel attacks exploiting the same initial access vector — much as we saw with multiple groups exploiting cPanel vulnerabilities simultaneously earlier in 2026.

Security Lessons Every Team Should Take From This Breach

The Cushman & Wakefield vishing attack offers specific, actionable lessons for security teams that go beyond “train your employees better.”

Implement phone-based social engineering controls for Salesforce access. Any action that provides access to or exports from major SaaS systems like Salesforce should require multi-factor verification that cannot be provided over a phone call. Disable helpdesk-initiated password resets that grant immediate access without a waiting period. Require that any sensitive account actions be approved through an authenticated app rather than over the phone.

Apply data minimization to CRM access. Five hundred thousand records is an enormous amount of data to be accessible from a single compromised session. Granular access controls — where individual users can only see the records relevant to their role — would have significantly limited the blast radius. No individual helpdesk session should be able to export 500,000 records.

Monitor for abnormal Salesforce export activity. Exfiltrating 500,000 records doesn’t happen instantly — it takes time and generates anomalous data access patterns. Salesforce’s event monitoring capabilities can detect bulk exports, unusual access patterns, and API calls that don’t match normal user behavior. Alerts on these patterns, properly tuned, could detect an exfiltration in progress before it’s complete.

The Cushman & Wakefield vishing attack is a reminder that the most sophisticated cybersecurity defenses in the world are vulnerable to a determined caller with good social engineering skills and the right target. Security culture, verification protocols, and data minimization aren’t as exciting as zero-day patches — but they’re often more important.

Sources: Cybernews | The Register | ComplianceHub | Cybernews (leak) | Fyntralink