Cushman & Wakefield, one of the largest players in the global commercial real estate market, has officially acknowledged a security incident. Cybercriminals from the ShinyHunters group claim to have obtained more than half a million records containing both personal data and confidential corporate information, The Register reported on Monday.
Two groups, one target
According to the attackers, the breach took place on May 1. This means Cushman & Wakefield has joined a growing list of corporate victims of an ongoing ShinyHunters campaign targeting Salesforce-based environments. Separately, on May 4, another ransomware group, Qilin, listed the company on its data leak site, although it did not disclose details about the attack method.
ShinyHunters gave Cushman & Wakefield a final deadline to make contact: May 6. After that date, the stolen data was expected to be made public. On Monday, the group told The Register that the company had remained silent and had not opened any communication.
A company spokesperson confirmed the incident, describing its scope as limited. He explained that the breach resulted from vishing, or voice-based phishing, in which an employee was manipulated and unknowingly gave attackers access to the company’s systems.
“We implemented incident response procedures, took steps to block unauthorized activity, and engaged external experts to support our response,” the spokesperson said.
A familiar attack pattern
The incident is not an isolated case. Security researchers have been tracking a similar attack pattern since mid-2025. ShinyHunters, monitored by Google Threat Intelligence Group under the designation UNC6040, has developed a repeatable method: combining vishing with the takeover of OAuth tokens used by third-party Salesforce integrations.
In March 2025, the attackers claimed responsibility for stealing data from around 100 well-known organizations, including Snowflake, Okta, Sony and AMD. In early 2026, similar techniques were reportedly used in an attack on ADT, where 10 million Salesforce records were allegedly stolen after Okta login credentials were obtained through vishing.
In a report published in April, Obsidian Security described the campaign’s pattern: compromising an Okta account through voice phishing, registering persistent multi-factor authentication, then moving between applications connected through SSO and exfiltrating cloud data.
OAuth tokens as an entry point
A common factor in successive breaches is excessive trust placed in OAuth tokens linking various corporate platforms. Austin Larsen, principal analyst at Google Threat Intelligence Group, had previously noted that cybercriminals are increasingly using tokens from trusted SaaS integrations as an attack vector.
Researchers also point out that many companies still have not revoked tokens compromised during the mid-2025 ShinyHunters campaign targeting Salesloft Drift, a Salesforce integration provider. This is a serious mistake, as it can leave systems exposed to further activity months after the initial breach.
With the May 6 deadline approaching, Cushman & Wakefield may soon face the public release of stolen data — in a case where two separate cybercriminal groups are simultaneously claiming responsibility for the same attack.
