A Cushman & Wakefield leak indexed by leaksear.ch contains 43,362 records tied to Salesforce CRM and Azure AD data, including names, emails, phones, addresses, countries, and dates of birth (leaksear.ch metadata). The breach date in leaksear.ch metadata is May 1, 2026, the same date ShinyHunters told The Register it attacked the global commercial real estate firm (leaksear.ch metadata) (www.theregister.com).
What happened
Cushman & Wakefield describes itself as a full-service global commercial real estate company with approximately 53,000 employees in more than 350 offices worldwide (ir.cushmanwakefield.com). On May 5, The Register reported that the company confirmed a limited, vishing-related data security incident, said it had activated response protocols, taken containment steps, and engaged third-party expert advisors; the company also said operations continued to run normally (www.theregister.com).
The Register also reported that ShinyHunters and Qilin separately claimed activity against Cushman & Wakefield, and that ShinyHunters claimed it attacked the company on May 1 and stole more than 500,000 Salesforce records containing PII and internal corporate data. Those Salesforce volume claims were attacker-side claims, and Cybernews separately noted that Cushman & Wakefield did not confirm ShinyHunters' claims or the alleged Salesforce theft (www.theregister.com, cybernews.com).
Cybernews later reported that ShinyHunters updated its leak site with a downloadable archive after ransom talks allegedly failed, describing it as an approximately 50GB Salesforce-linked dataset; leaksear.ch metadata describes the indexed source as Salesforce CRM and Azure AD data later dumped on the ShinyHunters leak site (cybernews.com) (leaksear.ch metadata). Have I Been Pwned lists a broader Cushman & Wakefield breach at 310.4 thousand affected accounts, while this leaksear.ch source contains 43,362 indexed records, so those counts should not be treated as the same measurement (haveibeenpwned.com) (leaksear.ch metadata).
What data was exposed
The leaksear.ch index makes the following fields searchable: address, country, date of birth, email, name, and phone (leaksear.ch metadata). The stored record context also includes CRM and account fields such as AccountId, job title, salutation, mailing and other address components, mobile, home, assistant and other phone fields, fax, lead source, do-not-call and email opt-out flags, owner and reporting IDs, and created or modified timestamps; these are stored context fields, not direct leaksear.ch search pivots (leaksear.ch metadata).
Public breach listings are broadly consistent with a contact-record exposure: Have I Been Pwned lists email addresses, job titles, names, phone numbers, physical addresses, and salutations as compromised data for its Cushman & Wakefield entry (haveibeenpwned.com). The leaksear.ch metadata supplied for this index does not list passwords, Social Security numbers, or payment-card numbers among the indexed fields (leaksear.ch metadata).
Why this matters
The main risk is targeted social engineering: contact records that combine names, phone numbers, email addresses, job titles, addresses, and CRM context can support phishing, vishing, vendor-impersonation, and account-update scams against employees, clients, brokers, vendors, and partners. The FBI says business email compromise is one of the most financially damaging online crimes and notes criminals use spear-phishing and account or context data to make requests appear legitimate (www.fbi.gov). Organizations with Cushman & Wakefield relationships should verify payment, lease, invoice, or credential-reset requests through known channels, and individuals should treat unsolicited calls or emails referencing real contact details as higher risk. Readers who want to check whether their information appears in this incident should use the Cushman & Wakefield lookup on leaksear.ch.
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, name, and phone.
Sources
- Cushman & Wakefield: About Us
- The Register: Real estate giant confirms vishing incident as ShinyHunters and Qilin both come knocking
- Cybernews: ShinyHunters leaks Cushman & Wakefield Salesforce dataset after failed negotiations
- Have I Been Pwned: Cushman & Wakefield Data Breach
- GBHackers: Cushman and Wakefield Confirms Data Breach Impacting Over 310,000 Accounts
- FBI: Business Email Compromise