One of the World's Largest Real Estate Firms Was Breached by a Phone Call. No Malware. No Exploit. Just Someone Picking Up.

Breaking News Voice Phishing

May 2026  ·  8 min read

In early May 2026, an employee at Cushman & Wakefield — a $10 billion global real estate firm with 52,000 staff — answered a phone call from someone who sounded like IT support. That call led to 500,000 Salesforce records stolen, 50 gigabytes dumped publicly, a class action lawsuit filed within a week, and two ransomware groups claiming the same company simultaneously. The attack didn't require a single line of malicious code.

---

The 2026 Verizon DBIR documented it. The CISA GitHub leak illustrated it. The McDonald's chatbot confirmed it. Every post in this series has circled the same truth from a different angle: the most dangerous attack vector in 2026 is not a technical exploit — it's a human being who trusted something they shouldn't have.

The Cushman & Wakefield breach is the clearest version of that story yet. No malware was deployed. No zero-day was exploited. No sophisticated technical capability was required. An attacker called an employee, convinced them to hand over credentials or approve an authentication request, and used that one phone call to walk into one of the world's largest commercial real estate firms through the front door.

Cushman & Wakefield confirmed the incident publicly: "Cushman & Wakefield recently became aware of a limited data security incident due to vishing." The group responsible — ShinyHunters, tracked by Google Threat Intelligence as UNC6040 — used that single phone call to exfiltrate more than 500,000 Salesforce records. When ransom negotiations collapsed, they dumped the full 50-gigabyte dataset publicly. Within a week, a class action lawsuit had been filed in the Southern District of New York.

500K+ Salesforce records stolen — names, job titles, email addresses, client contacts, internal corporate data ShinyHunters claim / Cushman & Wakefield confirmed, May 2026

50 GB of data dumped publicly after ransom negotiations collapsed — added to HIBP May 12, 2026 Breached.company / HIBP, May 2026

6 days from breach confirmation to class action lawsuit filed in the Southern District of New York Bisnow / U.S. District Court, May 2026

Cushman & Wakefield was not the only victim of this attack pattern — and not even the most ironic. In March 2026, ShinyHunters used the same vishing technique to breach Aura — a company that sells identity theft protection and credit monitoring to consumers. The company whose entire business is protecting people from exactly this kind of attack was itself breached by exactly this kind of attack. One employee. One phone call.

The ShinyHunters playbook — how a phone call becomes a 50GB data dump

ShinyHunters has been responsible for some of the largest data breaches of the past three years — Snowflake, Okta, Sony, AMD, ADT, Ticketmaster, and more than 100 other organizations. What makes their 2025–2026 campaign significant is not the scale. It's the method. Every single breach uses the same sequence, and none of it requires technical sophistication.

The ShinyHunters Vishing Playbook — confirmed across 100+ organizations Active May 2026

1

Research the target. Identify employees with access to high-value systems — Salesforce, AWS, identity providers like Okta. LinkedIn, company websites, and prior breach databases provide names, roles, and contact details. Cost: free. Time: hours.

2

Call posing as IT support, a known vendor, or the company's managed security provider. The caller uses the employee's real name, references real internal systems, and creates urgency — a security incident, an account lockout, a compliance deadline. The call sounds exactly like a legitimate internal IT call. Because it's designed to.

3

Social engineer credentials, an MFA approval, or access to a "support tool." The employee is asked to share a one-time code, approve an authentication push, or install a remote access tool "for troubleshooting." The attacker now has access. No malware required.

4

Compromise the Okta or SSO account and register persistent MFA. With identity provider access, the attacker adds their own MFA device — maintaining access even after the original session ends. The company's IT team doesn't know a persistent foothold exists. Average dwell time: weeks.

5

Move laterally through OAuth tokens across connected SaaS applications. Salesforce, Slack, Google Workspace, AWS — every application connected via SSO is now accessible. The access the employee had becomes the attacker's access.

6

Exfiltrate. Ransom. Dump. Extract the highest-value data. Issue a ransom demand with a deadline. If the company doesn't pay, publish everything. The Cushman & Wakefield ransom deadline was May 6. When negotiations collapsed, the 50GB dump went public.

This playbook has been used against more than 100 organizations across every industry and every size:

Snowflake

Okta

Sony

AMD

ADT

Ticketmaster

Instructure

Aura

Cushman & Wakefield

Carnival Corp

100+ others

Your business?

The common thread across every victim isn't industry, size, or technical sophistication. It's a single employee who answered a phone call from someone who sounded credible. The DBIR 2026 confirmed that mobile social engineering — voice and SMS attacks — now succeeds at a 40% higher rate than email phishing. Your employees have gotten better at spotting suspicious emails. Their phones are the softer target.

Why this matters if you've never heard of ShinyHunters

Most SMB owners will read "ShinyHunters" and think: that's an enterprise problem. These are major corporations. We're not a target for a group that attacks Snowflake and Ticketmaster.

That assumption is wrong on two counts. First: ShinyHunters is not the only group using this playbook. It is the most documented group using it. Voice phishing as an initial access technique has been adopted across dozens of threat actor groups because it works — bypassing every technical defense because it never touches any of them.

Second: the vishing technique requires no specialized knowledge to execute against a small business. Identifying an employee's name and role, calling from a spoofed number, and asking them to "verify their credentials for a security update" is a script that runs against a 10-person accounting firm as easily as a global real estate company. The script doesn't change. Only the target does.

The four defenses that break this playbook

📞

1. A verbal verification protocol for any IT request by phone

The simplest and most effective defense: a company-wide policy that no employee ever approves an MFA request, shares credentials, or installs software based solely on a phone call — regardless of how legitimate it sounds.

If IT needs something, they submit a ticket. If a caller claims to be IT, the employee hangs up and calls IT back on a known internal number. This policy costs nothing. It breaks every vishing attack at step three.

🔐

2. Phishing-resistant MFA — not push notifications

SMS codes and authenticator push notifications can be socially engineered — the attacker asks the employee to read a code aloud or approve a push under urgency. Phishing-resistant MFA — hardware security keys or passkeys — cannot be socially engineered over a phone call because they require physical possession of the device.

CISA recommends phishing-resistant MFA as the minimum standard for any organization with sensitive data. Number matching — the configuration change we covered in the MFA bypass post — significantly raises the difficulty. Hardware keys eliminate the vector entirely.

🔑

3. Audit and revoke OAuth tokens regularly

Researchers noted that many organizations targeted in mid-2025 still had not revoked OAuth tokens compromised during that campaign a year later. Once an attacker registers a persistent MFA device through a compromised Okta account, they maintain access until that device is explicitly revoked.

A quarterly audit of all active OAuth tokens, registered MFA devices, and third-party SaaS integrations closes the persistence mechanism the playbook depends on.

🎯

4. Vishing-specific training — not just email phishing awareness

Security awareness training that covers email phishing but not voice phishing is training for the wrong attack. The 2026 DBIR confirmed mobile social engineering succeeds at a 40% higher rate than email phishing.

Employees need to know: what a vishing call sounds like, what the common pretexts are (IT support, vendor verification, compliance deadline), and what the correct response is. This training is a 20-minute addition to any existing security awareness program.

The Cushman & Wakefield breach is now a class action lawsuit. The plaintiffs allege the company "lost control" of client names, Social Security numbers, dates of birth, and financial information. The legal theory: a $10 billion firm had a duty to protect client data, and a single phone call that bypassed no technical defenses — because none appropriate to a voice attack existed — caused that duty to be breached. The same legal theory applies to any business that holds client data and has no policy for handling suspicious calls from apparent IT support.

The question your business needs to answer today

If someone called your most junior employee right now, identified themselves as your IT provider, said there was an urgent security issue with their account, and asked them to read a verification code — what would they do?

For most small businesses, the honest answer is: they'd read the code. Not because they're careless. Because nobody ever told them not to. Because there's no policy. Because the training they received covered email phishing and stopped there. Because the attacker sounds completely credible and the request sounds completely routine.

That gap — between what your employees would do and what they should do — is the same gap ShinyHunters has exploited across 100+ organizations. Cushman & Wakefield had it. Aura had it. The answer is a 20-minute training session, a one-page policy, and phishing-resistant MFA. Not a security budget. Not a security team. A policy and a training. That's the entire defense.

The Veriti Spottr CyberScore's Security Posture survey covers your organization's awareness training practices, incident response readiness, and access control policies — exactly the three dimensions that determine whether your business has the defenses this playbook requires. A score below 60 on the Security Posture component is a signal worth acting on before a phone call finds the same gap that found 100+ enterprises before you.

📚 Credential Security Series — Read the full series

Part 1 → Your Password Policy Isn't Protecting You. Your Employees' Habits Are. Part 2 → Your Credentials Are Already For Sale. Here's How to Find Out in 60 Seconds. Part 3 → You Turned MFA On. Attackers Already Have Three Ways Around It. Part 4 → What Attackers Do With Your Data in the First 60 Minutes Part 5 → The 30-Minute Security Audit Every SMB Owner Should Do This Week Part 6 → The First 24 Hours After You Discover a Breach

Know where your human risk gaps are before a phone call finds them. Veriti Spottr's beta is free.

Get your CyberScore →

VS

Veriti Spottr Team AI-powered cyber risk clarity for SMBs  ·  veritispottr.com