Cushman & Wakefield Broke Our Salesforce-Okta Filter. None of the Predicted Ten Have Hit. Re-Rank Inside.

On April 26 we published "ShinyHunters Hit Six Companies in Seven Days. Here Are Ten Salesforce-Plus-Okta Targets That Fit Their Pattern." Two weeks later, the receipts say two things at once. Our filter caught real victims. Our filter was also too narrow.

This is the public re-rank.

The original ten, in fit-order

T-Mobile. Verizon. American Express. Comcast and Xfinity. Chick-fil-A. Dollar General. Coca-Cola. JetBlue. Spotify. Target.

The fit criteria we used were consumer-facing brand, large Salesforce customer database, Okta SSO, and help desks that process MFA resets via phone calls without out-of-band verification. The frame was specifically consumer loyalty programs because that is where ShinyHunters — the UNC6040 cluster — had been concentrating their vish chain.

ADT confirmed today. ADT was not on the predicted ten as a name, but the pattern fit and the post discussing the ADT claim went out five days before the original prediction list. Five and a half million users compromised through an Okta SSO foothold into Salesforce. The vish chain executed clean. The pattern held.

Instructure Canvas confirmed last week. Two hundred seventy-five million records across 8,809 educational institutions. Three and a half terabytes. ShinyHunters again. Not on the predicted ten because the filter was consumer brands and Canvas is education software, but the underlying mechanic — Salesforce-adjacent CRM, identity provider trust, support desk MFA reset — was identical.

Then today: Cushman and Wakefield.

Why Cushman broke the filter

Cushman and Wakefield is a commercial real estate services firm. They are not consumer-facing in any meaningful sense. They do not run loyalty programs. They do not have a "customer database" in the sense that T-Mobile does. They have a B2B customer relationship management stack with five hundred thousand Salesforce records of clients, transactions, property data, and brokerage relationships.

ShinyHunters hit them anyway. Same playbook. Same Salesforce exfiltration. Same blast radius.

The filter we used was wrong because it assumed the attacker needed a consumer database with phone numbers to vish the help desk. The attacker did not need that. The attacker needed three things that Cushman has, that ADT had, that Canvas had, that every name on the original ten still has.

One. A large enough Salesforce footprint to make exfiltration worth the effort.

Two. An identity provider — Okta, Microsoft Entra, Ping, anything with SSO trust — sitting in front of Salesforce.

Three. A help desk function that resets MFA over the phone without out-of-band verification.

That is the actual filter. The consumer-facing constraint was theater. Drop it.

The refined filter

The new filter is broader and more honest. Any organization with a Salesforce or Salesforce-equivalent CRM in production, an identity provider with help-desk-reachable MFA reset capability, and more than one hundred thousand records of any kind is on the target surface.

That is roughly twelve thousand organizations in the United States alone. The previous filter missed Cushman because we assumed consumer-loyalty programs were the target shape. We were watching the wrong axis.

The asymmetry favors the attacker here. ShinyHunters does not care whether the records are loyalty points or property leases or student transcripts or HVAC service tickets. The records are dollar value at exfiltration. The vish chain works the same way regardless of what is inside the database.

The re-rank

Holding the original ten in place because the consumer-brand subset still has the highest blast radius if compromised. T-Mobile, Verizon, and American Express together are roughly three hundred eighty million records and the regulatory exposure is catastrophic. Spotify and Target add another seven hundred million. These names stay on the list because the consequence of a hit is asymmetric.

Adding ten more names that fit the refined filter. In rough fit-order:

CBRE Group. Largest competitor to Cushman and Wakefield. Same industry. Same Salesforce footprint. Same vish-chain exposure.

JLL. Third major commercial real estate services firm. Pattern triple, same arguments.

McKesson. Healthcare distribution. Salesforce reference customer. Vast B2B record set. We have prior coverage of McKesson on the AIPM leaderboard.

Cardinal Health. Same vertical, same logic.

Cigna. Healthcare payer with massive customer-facing call center operation. Phone-based MFA reset is structurally hard to avoid in their model.

CVS Caremark. Pharmacy benefit manager. Eighty million members in claims data. The records do not need to be loyalty cards to be valuable.

UnitedHealth. Optum included. The largest healthcare information operation in the country. The vish chain works on the call center the same way it works on Comcast.

Marriott. Hospitality CRM with loyalty layered on top. The records include passport scans, payment methods, travel patterns. Already breached in 2018, indicating the help desk and identity stack were not hardened sufficiently after.

Hilton. Same vertical, same arguments.

ADP. Payroll and HR data for tens of millions of US workers. Salesforce footprint. Identity provider trust. The records are the most regulated and the most valuable.

Why publish this now

Because the prediction was public and the receipts are partial. ADT confirmed. Canvas confirmed. Cushman confirmed. Zero of the original named ten have been hit publicly, which is either a four-week buffer or a sign that ShinyHunters is hitting the broader target surface and we drew the box too tight.

Publishing the refined filter and the expanded list is the honest move. It is also the move that gives security teams at the named organizations a chance to harden the help desk before the call comes in. Out-of-band MFA reset. Voice match plus video confirmation. Mandatory escalation to a manager for any reset above a certain privilege level. The technical mitigations are well documented. The implementation gap is operational, not technical.

ShinyHunters does not need to be sophisticated to win this round. They need the help desk to keep doing what the help desk has been doing since 1998. The asymmetry favors the attacker until the call-center playbook changes.

The ledger

April 26 prediction. May 10 status. Zero of the named ten confirmed compromised. Three confirmed compromises that fit the refined filter — ADT, Canvas, Cushman. UNC6040 attribution holds. ShinyHunters cluster continues to operate. The vish chain is the load-bearing technique.

We were partially right. The partial-wrong is the part we are correcting in public, with a refined filter and ten additional names, dated today. If any of these get hit in the next thirty days, the receipt will be in this post.

— Patrick Duggan, May 10, 2026

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com