What Happened
Cushman & Wakefield, one of the world’s largest commercial real estate services firms, confirmed it suffered a data breach after ShinyHunters published a 50GB archive of Salesforce records on its leak site. The company acknowledged attackers used vishing — voice phishing — to social-engineer an employee into granting access, resulting in the exfiltration of over 500,000 Salesforce records containing personally identifiable information and internal corporate data.
The breach was confirmed on May 5, 2026. ShinyHunters set a May 6 ransom deadline and, after receiving no payment, published the dataset. Separately, Qilin listed Cushman & Wakefield on its own extortion site on May 4, suggesting either a shared initial access broker or two concurrent incidents. Cybernews reported the leak and The Register confirmed the company’s statement.
This breach follows a pattern ShinyHunters established in March 2026: compromise a Salesforce tenant through employee social engineering, exfiltrate CRM data at scale, and demand ransom with a short deadline before publishing. The group claims it has breached Salesforce data belonging to over 100 organizations in this campaign, including ADT, Carnival Cruise Line, Rockstar Games, Canada Life, CarGurus, and McGraw-Hill.
Why This Matters for Canadian Organizations
Salesforce is one of the most widely deployed CRM platforms in Canada. Financial services firms, insurers, telecommunications companies, retailers, and government-adjacent organizations all rely on Salesforce to manage customer relationships, contracts, and support workflows. The attack model ShinyHunters is using does not require a vulnerability in Salesforce itself — it requires one phone call to the right employee.
Canadian organizations that experienced a breach of this type face obligations under PIPEDA, and in Quebec under Law 25, to notify affected individuals and report to the Office of the Privacy Commissioner within the prescribed timeframes. The Canada Life breach in April 2026, which exposed 70,000 Canadians’ insurance data through the same pattern, demonstrates this is not a hypothetical risk for Canadian tenants.
The secondary risk is lateral movement. Salesforce credentials and session tokens stored in CRM environments often give attackers access to connected platforms — marketing automation, support ticketing, analytics, and billing systems. Once inside a Salesforce org, threat actors with time and access can pivot across an organization’s full customer-facing technology stack.
What to Do
Audit all Salesforce administrator and privileged user accounts for recent logins from unfamiliar IP ranges or geographic anomalies. Enable Salesforce Event Monitoring if not already active and review Connected App authorizations for tokens issued outside normal business hours. Brief your IT help desk on vishing scenarios — particularly calls requesting MFA bypass, password resets, or temporary access grants. Confirm your Salesforce tenant’s login history against your identity provider logs and revoke any sessions that do not correspond to known user activity. If your organization handles customer personal data through Salesforce, assess now whether a breach notification obligation exists under PIPEDA or provincial law, and do not wait for ShinyHunters to contact you before beginning that assessment.
