Cushman & Wakefield
May 5, 2026
•[ vishing, extortion, data leak ]
In May 2026, the real estate services firm Cushman & Wakefield was the target of a "pay or leak" extortion campaign by the ShinyHunters group. Following the threat, the group publicly published data they alleged had been obtained from the firm, consisting mostly of C&W email addresses along with tens of thousands of external email addresses and corporate contact records. The exposed data was primarily business information, including names, job titles, company addresses and phone numbers.
Cushman & Wakefield
May 3, 2026
•[ vishing, PII, data leak ]
Cushman & Wakefield confirmed a vishing-related security breach in May 2026 after ShinyHunters and Qilin separately listed the company. ShinyHunters claimed theft of more than 500,000 Salesforce records containing PII and internal corporate data and later reportedly published a 50GB Salesforce-linked dataset after negotiations failed. DataBreach indexed 2,198,033 rows associated with the breach. Public sources did not confirm encryption or operational disruption.
Individual Filipino pensioner
April 28, 2026
•[ vishing, phishing, malware ]
A 68-year-old Filipino pensioner received a fraudulent call claiming to be from the Social Security System and was sent a Viber link to a fake app. After installation, malware hijacked his Android phone, froze the screen and power button, and allowed thieves to drain three bank accounts and two e-wallets, stealing more than 1 million.
ADT Inc.
April 20, 2026
•[ vishing, social engineering, data breach ]
ShinyHunters compromised an ADT employee Okta SSO account through vishing, used the account to access ADTs Salesforce instance, and stole personal information later assessed by Have I Been Pwned as affecting 5.5 million individuals.
Charter Communications, Inc.
April 1, 2026
•[ vishing, data leak, employee records ]
ShinyHunters claimed it breached Charter Communications on April 1, 2026 through a vishing attack that compromised an employee Microsoft Entra account and enabled access to Charter's Salesforce instance. BleepingComputer and Have I Been Pwned reported that the later published dataset exposed 4.9 million unique email addresses/accounts, along with names, phone numbers, and physical addresses; a subset of approximately 85,000 internal employee-directory records also included job titles. Public reporting did not confirm encryption, data destruction, or operational disruption.
Aura
March 18, 2026
•[ voice phishing, vishing, data leak ]
BleepingComputer reported Aura confirmed an incident where an unauthorized party gained access to nearly 900,000 records containing names and email addresses. Aura said the incident was caused by voice phishing targeting an employee and that the exposed data originated from a marketing tool used by a company acquired in 2021. Aura stated the event exposed information for 20,000 current and 15,000 former customers within the larger marketing dataset and that compromised customer information includes full names, email addresses, home addresses, and phone numbers, while emphasizing SSNs, account passwords, and financial information were not compromised. ShinyHunters claimed responsibility and said it stole 12GB of files and leaked them.
CarGurus
February 13, 2026
•[ data breach, social engineering, vishing ]
TechRadar reported that ShinyHunters claimed to have breached CarGurus and stolen about 1.7 million corporate records, threatening to release the data by a stated deadline. The report linked the claim to a broader wave of social-engineering vishing attacks used to obtain employee credentials/MFA codes and then access SSO dashboards (Okta/Entra/Google) and downstream applications. At the time of reporting in the article, CarGurus had not publicly confirmed the breach details, the precise intrusion window, or exactly what categories of data were taken beyond the actors claim, so this record reflects an alleged data-theft event pending independent confirmation.
Optimizely
February 11, 2026
•[ voice-phishing, social engineering, data leak ]
Attackers associated with the ShinyHunters cybercriminal group used a voice-phishing social engineering attack to gain access to Optimizelys internal systems and CRM environment. Approximately 10,000 client organizations were affected, with exposed data including business contact information such as names, email addresses, and phone numbers.
Crunchbase
January 23, 2026
•[ vishing, social engineering, credential theft ]
Reporting on an Okta SSO vishing (voice-phishing) campaign, ShinyHunters reportedly confirmed to a researcher that it conducted the campaign and launched a new dark web leak site. According to the report, ShinyHunters claimed that multiple victims had their data posted after refusing extortion demands, naming Crunchbase, SoundCloud, and Betterment as initial examples. The incident reflects social-engineering-driven credential theft leading to unauthorized access and data theft, followed by extortion and publication of alleged victim data.
Harvard University
November 18, 2025
•[ phishing, vishing, data leak ]
Harvard University reported that a voice-phishing attack against Alumni Affairs and Development staff on November 18, 2025 led to unauthorized access to its AAD information systems, exposing contact details, fundraising records and event data for alumni, donors, parents, some students and some faculty and staff; the university locked out the intruder, notified affected individuals beginning November 22, and is working with law enforcement and incident response specialists.
