ShinyHunters Salesforce leak hits Cushman & Wakefield

The ShinyHunters Salesforce leak campaign expanded after cybercriminals claimed they stole sensitive data connected to global real estate company Cushman & Wakefield. Researchers said the incident appears linked to a wider wave of attacks targeting Salesforce customers through social engineering and third-party access abuse.

The alleged breach renewed concerns about how attackers exploit cloud ecosystems and connected enterprise platforms to access large volumes of corporate data.

ShinyHunters listed Cushman & Wakefield on its leak site

The cybercriminal group ShinyHunters added Cushman & Wakefield to its extortion leak site and claimed it obtained company data during a recent compromise. Attackers also published sample files allegedly connected to the organization as proof of the breach. (cybernews.com)

Researchers said the exposed information appeared tied to Salesforce-related infrastructure rather than a direct compromise of Salesforce itself. The incident reportedly involved a third-party platform integrated with the company’s Salesforce environment. (cybernews.com)

Cushman & Wakefield stated that it launched an investigation after learning about the claims. The company also said it involved external cybersecurity specialists to examine the incident and determine whether any customer or corporate information was affected. (cybernews.com)

Researchers linked the attacks to social engineering

Security researchers said the recent Salesforce-related attacks relied heavily on social engineering tactics instead of traditional malware deployment. Threat actors reportedly targeted help desk staff and external service providers to gain access to enterprise accounts.

Attackers allegedly impersonated employees and convinced support teams to reset credentials or modify authentication settings. Once inside connected systems, the attackers attempted to access sensitive enterprise data stored across cloud environments.

Researchers warned that identity-focused attacks have become increasingly effective because many organizations rely heavily on centralized SaaS platforms for daily operations.

The campaign also demonstrated how attackers continue targeting third-party integrations and external support channels instead of directly attacking hardened corporate networks.

Salesforce ecosystems became attractive targets

Security experts warned that Salesforce environments contain large amounts of valuable business information. Organizations often connect customer databases, financial systems, internal communications, and operational tools to their Salesforce infrastructure.

Because of that, attackers who compromise connected accounts can potentially gain access to multiple enterprise systems simultaneously.

Researchers noted that cloud-based platforms also create centralized access points that become highly valuable targets for extortion groups like ShinyHunters. Compromising one connected platform may expose customer records, contracts, internal documents, and sensitive operational data.

The alleged Cushman & Wakefield incident reflected a broader shift toward identity-based intrusions and SaaS-focused cyberattacks.

Third-party access risks remain a major concern

The ShinyHunters Salesforce leak case highlighted growing concerns surrounding third-party access security. Many large organizations depend on contractors, support vendors, and cloud integrations to maintain complex enterprise environments.

Security teams warned that attackers increasingly focus on weaker external access points because they often bypass traditional network defenses.

Researchers also stressed that organizations must strengthen identity verification procedures, help desk protections, and multi-factor authentication workflows to reduce the risk of social engineering attacks targeting cloud infrastructure.

As more companies centralize operations inside SaaS platforms, third-party access controls will likely remain a major cybersecurity priority.

Conclusion

The ShinyHunters Salesforce leak campaign intensified after attackers claimed they stole data connected to Cushman & Wakefield through a third-party platform tied to Salesforce infrastructure. Researchers believe the incident reflects a growing trend of cybercriminal groups using social engineering and identity-focused attacks to compromise enterprise cloud environments. The case also highlighted the increasing security risks surrounding SaaS integrations and third-party access channels.