Cushman & Wakefield Got Hit by Two Ransomware Groups in Three Days. ShinyHunters Just Posted 50 Gigabytes.

Commercial real estate giant Cushman & Wakefield confirmed a vishing-related security breach on May 5, 2026. Two unrelated ransomware-and-extortion groups — ShinyHunters and Qilin — independently listed the firm on their dark-web leak sites within days of each other. ShinyHunters claimed theft of more than 500,000 Salesforce records and demanded payment by May 6. After negotiations failed, the group published a 50GB dataset on May 8. The Qilin claim is separately listed and does not include proof samples.

On Tuesday, May 5, 2026, Cushman & Wakefield — one of the global "Big Four" commercial real estate firms, alongside CBRE, JLL, and Colliers International — confirmed a "limited" data security incident attributed to a vishing attack on an employee. The Chicago-headquartered firm reported $10.3 billion in 2025 revenue, employs roughly 52,000 professionals across more than 400 offices in over 60 countries, and manages approximately 5,100 million square feet of commercial space and 144,000 multi-unit residential properties.

What makes this incident editorially distinct from a typical SaaS data-theft disclosure is that two operationally separate ransomware-and-extortion groups have independently claimed Cushman as a victim within three days of each other: ShinyHunters listed the firm on May 3, and Qilin listed it on May 4. Cybernews and The Register both note there is no previously established coalition between the two groups, suggesting the listings are coincidentally timed rather than coordinated. ShinyHunters supplied a specific theft claim (more than 500,000 Salesforce records containing PII and internal corporate data) and a deadline; Qilin's listing does not detail attack methodology, does not include proof samples, and notably omits the "Time till publication" countdown clock the group typically uses to pressure victims.

The single most operationally consequential detail is the broader campaign context. ShinyHunters' Salesforce-targeting activity is tracked by Google Threat Intelligence Group as UNC6040 and pairs vishing-based initial access with the takeover of OAuth tokens used by third-party Salesforce integrations. Confirmed recent ShinyHunters-linked victims include ADT, Carnival Cruise Line, Rockstar Games, McGraw Hill, 7-Eleven, Vimeo, Medtronic, and Instructure (Canvas). Cushman is the latest confirmed target. The dual-actor claim adds a new wrinkle that most enterprise IR playbooks have not pre-scripted.

The Vishing-to-OAuth Kill Chain ShinyHunters Has Now Run Eight Times

Cushman's official statement to The Register and others described the breach as a "limited data security incident due to vishing," said the firm has activated response protocols, engaged third-party expert advisors, and that systems and operations continue to run normally. The firm did not confirm ShinyHunters' specific 500,000-record claim or characterize the alleged Salesforce data theft. Both Cybernews and The Register attribute the initial-access vector to a voice-phishing call against an employee — the same pattern Obsidian Security documented in its April 2026 report on ShinyHunters' Salesforce campaign: compromise an Okta account through voice phishing, register persistent multi-factor authentication, move between applications connected through SSO, exfiltrate cloud data.

That kill chain has now produced confirmed victims across roughly every major sector. Real estate (Cushman). Education (Instructure). Consumer security (ADT, where 10 million Salesforce records were allegedly stolen earlier in 2026 after vishing-obtained Okta credentials). Travel (Carnival Cruise Line). Entertainment (Rockstar Games). Publishing (McGraw Hill). Retail (7-Eleven). Media (Vimeo). Medical devices (Medtronic). Researchers also note that many companies still have not revoked OAuth tokens compromised during the mid-2025 ShinyHunters campaign targeting Salesloft Drift, a Salesforce integration provider — meaning the standing exposure from that 2025 campaign is, for some organizations, still live.

This is the same campaign The CyberSignal documented in coverage of the Canvas / Instructure ShinyHunters defacement. The pattern is now identifiable enough that Cushman, Canvas, and ADT should be read as three episodes of a single ongoing campaign rather than three discrete incidents — and The CyberSignal's broader ShinyHunters threat-actor coverage tracks how the group's vishing-to-OAuth tradecraft has matured into the year's dominant SaaS data-theft pattern.

What the Qilin Listing Means — And What It Probably Doesn't

Qilin is, by victim count, the top ransomware group of 2026, with 1,784 victims documented since the group first appeared in October 2022. The group operates a more traditional encrypt-and-extort model than ShinyHunters' data-theft-only model. The Qilin listing of Cushman dated May 4 lacks the substantiation Cybernews and The Register typically use to validate a leak-site claim: no methodology detail, no proof samples, no separate corroborating data claim, and — unusually for Qilin — no countdown timer to pressure the victim into negotiating. Cybernews's specific assessment is that the Qilin listing does not include enough information to determine whether it is connected to the ShinyHunters claim. The Register reaches the same conclusion, noting there is no previously established coalition between ShinyHunters and Qilin, and that the timing is more likely coincidental than coordinated.

Although rare, parallel claims by rival ransomware gangs are not unprecedented. Cybernews notes the 2023 attacks on the California cities of Oakland and Modesto, where multiple ransomware gangs claimed responsibility for the same incidents. The Cushman case adds a new data point to that small set, with one operationally meaningful difference: ShinyHunters' claim is substantiated (a 500,000-record dataset and now a 50GB file), while Qilin's claim is, on its public face, opportunistic. From a defender's perspective, the practical implication is that Cushman's IR team is now running parallel attribution and validation workstreams against two distinct adversary timelines — and that operational complexity is itself a defender-takeaway lesson for the broader ransomware-response community.

What "FINAL WARNING PAY OR LEAK" Looks Like When the Victim Doesn't Pay

ShinyHunters' May 3 listing on Cushman included a status flag — "FINAL WARNING PAY OR LEAK" in red — and a deadline of May 6, 2026. The group's final-warning message accused Cushman of failing to engage despite what ShinyHunters characterized as repeated attempts and "incredible patience." When the May 6 deadline passed without an agreement, ShinyHunters posted a 50GB compressed zip file Thursday May 7 night; Cybernews researcher Rasa Jurgutyte confirmed the file's appearance on the leak site. As of May 8, Cybernews researchers were still downloading and analyzing the contents, and the specific Salesforce instance(s) compromised, the affected employee or role at Cushman, and the regulatory-reporting status of the firm under SEC, state breach notification laws, and international privacy regimes have not been publicly confirmed.

The 50GB upload also confirms, through a different signal, that Cushman did not pay ShinyHunters. The group's negotiation channel is the Tox peer-to-peer encrypted messaging protocol, and its standing practice is to remove victims from public listings only after payment is received or active negotiations begin. Cushman's leak-site profile remained active through May 8 and was supplemented with the leaked dataset rather than removed — a strong inferential signal that the firm declined to negotiate. Whether Cushman engaged Qilin at all, and whether Qilin's claim leads to any separate dataset publication, is unknown.

Why Real Estate Was the Logical Next Target

Commercial real estate firms are particularly exposed to Salesforce-centric data theft because the data they hold is unusually rich. A firm of Cushman's size operates Salesforce instances containing tenant lease records, prospective-tenant pipeline data, leasing-broker contact information, property-management vendor lists, and — for the residential side — tens of thousands of multi-unit-property tenant rosters. That concentration of business-relationship data and PII makes a Cushman Salesforce instance materially more valuable to a data-extortion group than the equivalent breach at, say, an industrial-equipment manufacturer. The economics of the campaign reward going after data-rich SaaS instances, and commercial real estate sits very high on that list. Expect the next wave of UNC6040 victims to skew toward firms holding similar quantities of business-relationship data: insurance brokers, large law firms, talent agencies, and recruitment firms.

The Cushman incident also lands inside a broader Salesforce-and-SaaS-extortion pattern accumulating across May 2026. The CyberSignal's coverage of social-engineering tradecraft tracks how vishing-based initial access has displaced phishing-link-based tradecraft as the dominant entry vector for SaaS-era data theft.

Defender Actions for Salesforce-Heavy Organizations

• Audit OAuth tokens granted to Salesforce integrations and revoke any tokens issued before mid-2025 that have not been actively used or specifically re-validated. Salesloft Drift, ZoomInfo, Marketo, Pardot, HubSpot, and similar integrations all create token entry points; treat the standing token universe as the largest defensive lever you control this quarter.
• Enforce Salesforce IP allow-listing for API access where business-feasible. Many vishing-to-OAuth attacks succeed because the stolen OAuth token is used from attacker-controlled infrastructure that does not match legitimate integration vendor IP ranges. IP allow-listing breaks that cleanly. For integrations where allow-listing is impractical, escalate to risk-based detection on token-use geography.
• Disable username-and-password fallback for Salesforce integrations where OAuth is configured. ShinyHunters has demonstrated repeatedly that the group will pivot to whichever authentication path is weakest. Closing the fallback path forces attackers into stronger primary authentication, which raises the operational cost of the kill chain.
• Brief executive assistants, finance, and HR specifically on the vishing pattern. The script is now standardized: a caller impersonating IT helpdesk asks the employee to "verify" by clicking a link, reading aloud a one-time password, or installing a remote-support tool. Run quarterly tabletop exercises that include a vishing component, with helpdesk staff specifically trained to refuse credential-related actions over inbound calls.
• Tabletop the dual-extortion scenario this quarter. When two unrelated ransomware groups claim the same victim — as with Cushman, Oakland, and Modesto — IR teams must run parallel workstreams: validate each claim independently, manage two competing extortion timelines, and maintain message consistency across regulators, customers, and staff. Most playbooks assume single-actor scenarios; the dual-actor case is operationally more complex and worth pre-scripting now.

The CyberSignal Analysis

Signal 01 — The vishing-to-OAuth kill chain is now the dominant SaaS data-theft pattern

Cushman is the eighth-plus confirmed UNC6040 victim of the past 18 months, joining ADT, Carnival, Rockstar Games, McGraw Hill, 7-Eleven, Vimeo, Medtronic, and Instructure. The pattern is now consistent enough that defender posture should be calibrated against the kill chain explicitly: vishing → Okta credential capture → persistent MFA registration → SSO lateral movement → Salesforce data exfiltration. Organizations whose helpdesk training, MFA-enrollment monitoring, and OAuth-token hygiene have not been specifically reviewed against this kill chain in the last 90 days are not adequately prepared. The good news is that each link in the chain has known mitigations; the bad news is that the mitigations have to be in place across all links to break the chain. Defense-in-depth here is not a slogan — it is the literal architecture the campaign is designed to defeat.

Signal 02 — Dual-actor claims are an attribution puzzle defenders should pre-script

The simultaneous ShinyHunters and Qilin listings on Cushman are not unprecedented but are uncommon enough that most enterprise IR playbooks have not specifically planned for them. The dual-actor case requires parallel validation: which claim has substantiation, which is opportunistic, whether either or both reflect actual access, and how to communicate publicly without granting credibility to an unsupported claim. Crisis-communications consistency is materially harder when two groups are on the leak-site clock with different timelines and demands. The Cushman case is the year's clearest example of why the standard "one attacker, one negotiation" assumption in ransomware playbooks needs to be updated. Pre-script the dual-actor scenario in your tabletop exercises this quarter; the day-of cost of having to figure it out under pressure is materially higher than the cost of pre-scripting now.

Signal 03 — Refusing to pay still produces leaks, and that is the system working as designed

Cushman's apparent refusal to pay produced a 50GB leak. That outcome is bad for Cushman in the short term — affected individuals will face downstream phishing and identity-fraud risk, the firm will face notification costs and regulatory scrutiny, and the public-relations and contractual fallout will play out over months. But it is, structurally, the right answer for the broader ecosystem. Every payment to ShinyHunters funds the next campaign and signals to the next vishing-targeted firm that paying is the easier path. Every refusal raises the operational cost of the campaign and degrades the unit economics of vishing-to-OAuth extortion. The Cushman outcome is, in this frame, a useful negative externality made tolerable by the affected firm absorbing it. Boards considering the pre-incident ransom-payment policy question should treat the Cushman case as the working example of "refusal at corporate scale" — not a comfortable case, but a defensible one, and one the broader ecosystem benefits from.

Sources