Cushman & Wakefield Inc
Bread Data Breach

Cushman & Wakefield Data Breach | ShinyHunters, Qilin, Vishing Incident
ObscureIQ Breach Intelligence
DATA PUBLISHED / LITIGATION FILED

Cushman & Wakefield Data Breach

Status: Confirmed / Data Published / Litigation Filed
310.4KHIBP Accounts
500K+Records Claimed
May 2026Breach
May 2026Data Posted
8/10Severity

Breach Intelligence Summary

Entity: Cushman & Wakefield · Actors: ShinyHunters and Qilin · Source: The Register / HIBP / media and court reporting / ObscureIQ intelligence
Attack: Vishing / voice phishing with reported access to Salesforce or connected corporate data systems
Timeline: ShinyHunters claim (May 1, 2026) · Qilin listing (May 4, 2026) · HIBP indexed (May 12, 2026)
Exposure: 310.4K HIBP-indexed accounts · 500K+ Salesforce records claimed · business-contact data confirmed in indexed dataset
Status: Confirmed / Data Published · Risk: High for spear phishing, real-estate fraud, BEC, and possible identity misuse

Summary

In May 2026, Cushman & Wakefield, one of the world’s largest commercial real estate services firms, confirmed a limited data security incident caused by vishing. The incident followed public claims by ShinyHunters and Qilin, two separate cybercriminal groups that both targeted or listed the firm within the same window.

ShinyHunters claimed it stole more than 500,000 Salesforce records containing personal information and internal corporate data. The group allegedly issued a pay-or-leak demand and later published data after Cushman & Wakefield did not engage.

Have I Been Pwned later indexed 310,400 affected accounts from the published dataset. HIBP describes the exposed data as primarily business information, including email addresses, names, job titles, company addresses, phone numbers, physical addresses, and salutations.

A proposed class-action lawsuit filed in New York federal court alleges broader exposure of current and former client and tenant information, including dates of birth, Social Security numbers, driver’s license numbers, and financial information. Cushman & Wakefield reportedly called the lawsuit baseless and described the ShinyHunters incident as very limited in scope.

The public evidence should be read in two layers: confirmed indexed business-contact data, and more sensitive PII alleged in litigation and media coverage.

ObscureIQ assessment: The strongest public confirmation concerns business-contact data. The most sensitive categories should be treated as possible exposure unless substantiated by direct notice, dataset analysis, regulatory filing, or court-tested evidence.

About Cushman & Wakefield

Cushman & Wakefield is a global commercial real estate services firm headquartered in Chicago. The firm serves property owners, occupiers, investors, landlords, tenants, brokers, facilities teams, and corporate real estate departments.

Because the firm sits inside commercial real estate workflows, its data can include business contacts, tenant records, property records, leasing history, corporate decision-maker data, and client-service records.

  • Commercial leasing
  • Property management
  • Facilities services
  • Capital markets advisory
  • Valuation and advisory services
  • Tenant representation
  • Project and development services
  • Global occupier services
  • Corporate real estate operations

If you worked with Cushman & Wakefield, leased space through the firm, contacted a C&W broker, appeared in a tenant or client record, or exchanged business communications with the company, your information may be included.

Threat Actor: ShinyHunters / Qilin Claims

This incident aligns with the 2025–2026 pattern of social-engineering-first intrusions against identity, CRM, and Salesforce-connected environments. Public reporting has not confirmed a partnership between ShinyHunters and Qilin; the claims may reflect separate or opportunistically timed activity.

Reported pattern includes:
  • Voice phishing call or voice-based pretext
  • Impersonation of IT support, vendors, trusted contacts, or internal workflows
  • Employee pressured into granting access or completing a remote-access step
  • Use of obtained access against CRM, Salesforce, SSO, or connected corporate systems
  • Pay-or-leak extortion demand followed by data publication if negotiations fail

Breach Exploitation Status

Threat Activity:High
SignalStatus
Dark web / breach-channel circulationDetected
HIBP indexingDetected
Real-estate themed phishing relevanceHigh
Credential stuffing overlapPossible
Sensitive PII exposure beyond business-contact dataAlleged
Law enforcement / regulatory final scopeUnknown
Data Longevity:High persistence

Business contact records, property relationships, names, addresses, job titles, and phone numbers remain useful for spear phishing, impersonation, and real-estate fraud long after publication.

Data Points Exposed

Verified or indexed fields reported by HIBP:
Email addresses
Names
Job titles
Phone numbers
Physical addresses
Company addresses
Salutations
Corporate contact records
Threat-actor claims and media reporting reference:
Salesforce records
Internal corporate data
PII contained in CRM records
Client or tenant records
Alleged in the proposed class-action lawsuit:
Dates of birth
Social Security numbers
Driver’s license numbers
Financial information
Personal information of current and former clients and tenants
Not confirmed in the HIBP-indexed dataset:
Plaintext passwords
Hashed passwords
Payment card numbers
Bank account credentials
Account login tokens

Treat confirmed HIBP business-contact data separately from lawsuit allegations. Sensitive PII may be possible for some people, but it should not be described as universally confirmed for every affected record.

Dark Web Verification

Status: Confirmed / Data Published / Litigation Filed

  • Dataset was added to Have I Been Pwned on May 12, 2026 with 310.4K affected accounts.
  • ShinyHunters claimed more than 500,000 Salesforce records containing PII and internal corporate data.
  • Qilin separately listed Cushman & Wakefield on its leak site on May 4, 2026.
  • Public reporting suggests dual targeting or coincident timing, not a confirmed partnership between the groups.

Impact

This breach carries elevated risk because commercial real estate records can map people, companies, properties, locations, roles, relationships, and business decision chains. Even when exposed data is “business contact” data, it can still enable targeted fraud.

Primary downstream threats include:
  • Spear phishing against brokers, tenants, landlords, investors, and corporate real estate teams
  • Vendor impersonation using real Cushman & Wakefield context
  • Fake lease, invoice, rent, brokerage, or closing-related payment requests
  • Business email compromise targeting real estate transactions
  • Social engineering against property managers and facilities teams
  • Pretexting calls referencing real job titles, addresses, or corporate relationships
  • Tenant or client impersonation
  • Credential attacks against corporate accounts
  • Physical targeting risks tied to office, tenant, and property-location data
  • Data broker and breach-profile enrichment for executives and high-value employees

Recommendations for Impacted Individuals

If you believe your information may be included:

Do Not Dismiss This as “Just Business Data”
Corporate contact data is frequently used as the first layer of targeted fraud. Real estate workflows are vulnerable because payments, leases, invoices, vendors, and title-adjacent processes create believable pretexts.
Change Passwords
Prioritize C&W-related portals, work email, CRM, property-management, facilities, vendor, and any account sharing similar credentials.
Enable Multi-Factor Authentication
Prioritize work email, personal email used for business, corporate SSO, real estate transaction platforms, financial accounts, and property-management portals.
Watch for Real Estate-Themed Scams
Be alert for fake lease-document requests, payment changes, property-management messages, vendor onboarding, C&W support notices, DocuSign notices, and updated bank-detail emails.
Verify Payment and Wire Instructions Out of Band
Confirm any payment, wire, lease, invoice, or vendor-account change using a known phone number. Do not rely on contact details from the new message.
Monitor for Identity Abuse
If you may be part of the sensitive client or tenant population alleged in litigation, monitor credit inquiries, address-change attempts, account openings, bank changes, carrier changes, and debt-collection scams.

Company Response / Statement Summary

Cushman & Wakefield confirmed a limited data security incident tied to vishing and said it activated response protocols, contained unauthorized activity, and engaged third-party advisors.

The company stated that systems and operations continued to run normally.

Following the class-action filing, Cushman & Wakefield reportedly described the lawsuit as baseless and said the ShinyHunters incident was very limited in scope. The company also said it was communicating with impacted clients.

Public reporting has not yet established the final scope of the breach, the full list of affected fields, or whether the sensitive PII alleged in litigation was contained in the publicly indexed dataset.

Corporate Accountability

A proposed class-action lawsuit was filed in the U.S. District Court for the Southern District of New York by commercial tenant Michelle Milewski.

The complaint reportedly alleges that Cushman & Wakefield failed to implement industry-standard cybersecurity safeguards before and after the breach.

Cushman & Wakefield is a major global commercial real estate company and may have disclosure responsibilities under applicable federal and state requirements when incidents are determined material.

Initial threat-actor claims, indexed dataset size, media reporting, and lawsuit allegations do not perfectly match. Users should not rely only on early estimates when making risk decisions.

Frequently Asked Questions

What happened in the Cushman & Wakefield data breach?

In May 2026, Cushman & Wakefield confirmed a limited data security incident tied to vishing. ShinyHunters and Qilin both claimed activity against the firm, and data was later indexed by breach services.

How many accounts were affected?

Have I Been Pwned indexed approximately 310,400 affected accounts. ShinyHunters separately claimed more than 500,000 Salesforce records, but claim size and confirmed indexed accounts are different measures.

What data was exposed?

HIBP reports business-contact data such as email addresses, names, job titles, phone numbers, physical addresses, company addresses, and salutations. More sensitive PII is alleged in litigation and media reporting but should be treated as possible exposure unless independently confirmed.

Is the breach confirmed?

Yes. The company confirmed a limited vishing-linked data security incident, and breach data was indexed. Final scope and the most sensitive alleged fields remain subject to further confirmation.

Is there a lawsuit?

Yes. A proposed class-action lawsuit was filed in New York federal court alleging failure to protect client and tenant PII. Cushman & Wakefield reportedly called the lawsuit baseless.

What should affected people do?

Change reused passwords, enable MFA, watch for real-estate themed phishing and payment-change scams, verify wire or invoice changes out of band, and monitor for identity abuse if sensitive PII may be involved.

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach or related breach indexes.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation

ObscureIQ Advisory

This was not merely a generic contact-data exposure. Real estate data can reveal organizations, properties, trusted vendors, payment workflows, tenant relationships, and physical locations.

For attackers, that context can make phishing and payment fraud far more believable.

If you are:
  • A broker, landlord, investor, tenant, or commercial real estate executive
  • A facilities, property-management, or corporate real estate employee
  • A public-facing person whose office or property relationships matter
  • Or simply concerned about identity misuse from business-contact exposure

ObscureIQ can help map realistic downstream threat vectors from breached real estate and corporate-contact data.

Services
Exposure AuditsBreach MonitoringExecutive PrivacyThreat MonitoringVishing Training
Contact
Phone855-763-7273Emailinfo@obscureiq.com

Business data becomes dangerous when it maps relationships, locations, workflows, and trust.

© 2026 ObscureIQ. All Rights Reserved.

Classification Tags

ShinyHuntersQilinVishingSalesforce RecordsData ExfiltrationReal EstateCommercial PropertyCRM DataEmailPhoneAddressJob Title

Contact ObscureIQ for a free breach impact check.

If you believe your information may be part of this breach,or want confirmation across other datasets,

We use a multi-layered intelligence stack, combining public and restricted dark-web sources, to confirm whether your data is in circulation.