In May 2026, real estate services firm Cushman & Wakefield had data on approximately 310,000 accounts exposed after the ShinyHunters group carried out an extortion campaign and published stolen corporate contact records.
What happened
According to Have I Been Pwned, in May 2026 the ShinyHunters cybercriminal group targeted Cushman & Wakefield with a "pay or leak" extortion campaign. When the firm did not comply, the group publicly released data they claimed to have obtained from the company.
The Register reported that Cushman & Wakefield confirmed the attack, which involved a vishing (voice phishing) method.
What was exposed
According to HIBP, the published data consisted primarily of business contact information: names, job titles, email addresses, phone numbers, physical addresses, and salutations. The records included both internal Cushman & Wakefield email addresses and tens of thousands of external corporate contacts.
Who is affected
Approximately 310,431 accounts are listed as affected. Those impacted are largely current or former employees and external business contacts of Cushman & Wakefield, based on the nature of the exposed data.
What to do now
If you have a business relationship with Cushman & Wakefield, be alert to targeted phishing or social engineering attempts using your name, job title, or contact details. Be cautious of unsolicited calls or emails referencing your professional information. Consider updating contact preferences if you receive suspicious outreach.