The notorious extortion group ShinyHunters has officially leaked a massive dataset allegedly belonging to the commercial real estate titan Cushman & Wakefield. The dump comes after the cybercriminals claimed that ransom negotiations with the “Big 4” real estate firm completely collapsed, despite what the group described as their “incredible patience.”
The leaked archive, sarcastically titled “shouldve_paid_the_ransom,” appeared on the gang’s dark web leak site on Thursday. This move marks yet another aggressive escalation in the group’s current campaign targeting major global brands and their cloud-based CRM environments.
The Leak: 500,000 Salesforce Records Exposed
ShinyHunters claims the published cache contains 50GB of data, specifically targeting the company’s Salesforce infrastructure. According to the group’s post, the haul includes:
- 500,000+ Salesforce Records: Likely containing customer leads, contact details, and account histories.
- Personally Identifiable Information (PII): Sensitive data belonging to clients and employees.
- Internal Corporate Data: Proprietary documents and internal communications.
Cybernews researchers, who began downloading the compressed archive on Friday, noted that the data is still being analyzed. Because the files are heavily compressed, the true extent of the sensitive information won’t be known until the full 50GB cache is extracted and inspected.
Vishing: The Entry Point
Cushman & Wakefield recently confirmed to the media that it was aware of a “limited data security incident.” Interestingly, the company attributed the intrusion to vishing (voice phishing).
In a vishing attack, hackers call employees pretending to be IT support or company executives to trick them into handing over login credentials or Multi-Factor Authentication (MFA) codes. This method has become a preferred entry point for groups like ShinyHunters to bypass sophisticated technical perimeters and gain access to cloud environments like Salesforce.
The “Double Claim” Confusion
In a strange twist, another ransomware collective known as Qilin also listed Cushman & Wakefield on its victim blog earlier this week. However, while Qilin provided no proof of theft, ShinyHunters has followed through with a massive data dump.
Security analysts suggest this could mean:
- The company was hit by two separate groups (a “double tap”).
- One group purchased access from the other.
- The groups are collaborating under a shared infrastructure.
ShinyHunters’ Global Extortion Spree
The Cushman & Wakefield leak is not an isolated event. The group is currently managing multiple high-profile “global incidents” simultaneously.
Researchers noted that download speeds for the real estate dataset were unusually slow on Friday—a sign that the hackers’ servers are being slammed by traffic. This spike is likely due to the ongoing Canvas e-learning breach, where ShinyHunters is threatening 9,000 schools with a May 12th deadline.
Critical Steps for Real Estate Professionals
If you are a client, employee, or partner of Cushman & Wakefield, the following steps are highly recommended:
- Verify Salesforce Security: If your organization uses Salesforce, audit your “Export Logs” to see if any unusual bulk downloads have occurred recently.
- Phishing Defense: Be on high alert for emails or calls referencing specific real estate deals or internal corporate projects. Hackers will use the leaked data to make their scams look authentic.
- Credential Rotation: Change passwords for any account that may have been linked to the Salesforce environment.
