Full Report
In March 2026, the commercial real estate finance company Berkadia was the target of a ShinyHunters "pay or leak" extortion campaign. The group subsequently published data they alleged was taken from Berkadia's Salesforce instance, including over 300k unique email addresses as well as names, physical addresses and phone numbers, among other data.
Analysis Summary
# Incident Report: ShinyHunters Extortion of Berkadia
## Executive Summary
In March 2026, Berkadia, a commercial real estate finance firm, fell victim to a "pay or leak" extortion campaign orchestrated by the threat actor group ShinyHunters. The incident resulted in the exfiltration and subsequent publication of data associated with over 305,000 accounts, allegedly sourced from the company's Salesforce instance.
## Incident Details
- **Discovery Date:** June 15, 2026 (Public disclosure/HIBP integration)
- **Incident Date:** March 2026
- **Affected Organization:** Berkadia
- **Sector:** Commercial Real Estate Finance
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** March 2026
- **Vector:** Targeted exploitation of cloud-based CRM (Salesforce)
- **Details:** Attackers targeted Berkadia's Salesforce instance to retrieve sensitive client and employee data.
### Lateral Movement
- **Details:** Specific lateral movement details were not disclosed; however, the threat actors successfully pivoted from initial entry to data repositories containing PII.
### Data Exfiltration/Impact
- **Details:** ShinyHunters exfiltrated a database containing roughly 305,200 unique records. After Berkadia likely refused to meet extortion demands, the group published the dataset online.
### Detection & Response
- **How it was discovered:** Discovery occurred via threat actor communications on social media (X/Twitter) and subsequent data leaks.
- **Response actions taken:** The data was eventually indexed by "Have I Been Pwned" to notify affected individuals.
## Attack Methodology
- **Initial Access:** Potential credential stuffing, session hijacking, or exploitation of misconfigured Salesforce permissions.
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Likely utilized high-privilege API keys or administrative credentials to access the broad CRM database.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Targeting of Salesforce-specific credentials or tokens.
- **Discovery:** Cloud environment reconnaissance for data-rich instances.
- **Lateral Movement:** Cloud-to-SaaS movement.
- **Collection:** Bulk export of CRM contact objects.
- **Exfiltration:** Transfer of data to attacker-controlled infrastructure for extortion purposes.
- **Impact:** Financial extortion and public data leak.
## Impact Assessment
- **Financial:** Potential regulatory fines and costs associated with credit monitoring for over 300k individuals.
- **Data Breach:** Compromise of 305,200 accounts including email addresses, names, employer details, phone numbers, and physical addresses.
- **Operational:** Disruption due to incident response and remediation of cloud security configurations.
- **Reputational:** High; sensitive financial client data was made public by a well-known extortion group.
## Indicators of Compromise
- **Network indicators:** N/A (Cloud-side exfiltration).
- **File indicators:** N/A (Database export).
- **Behavioral indicators:** Unusual API call volume originating from non-standard IP ranges or at atypical times; unauthorized bulk export requests within Salesforce.
## Response Actions
- **Containment measures:** Review and revocation of compromised Salesforce API keys and user credentials.
- **Eradication steps:** Audit of Salesforce permission sets and third-party integrations.
- **Recovery actions:** Notification of affected parties and integration with breach notification services like HIBP.
## Lessons Learned
- **Key takeaways:** SaaS platforms like Salesforce require the same level of security scrutiny as on-premise infrastructure.
- **What could have been done better:** Implementation of stricter IP whitelisting for CRM access and more robust monitoring for bulk data exports might have alerted the organization before the total data volume was exfiltrated.
## Recommendations
- **MFA Implementation:** Ensure Multi-Factor Authentication (MFA) is strictly enforced for all Salesforce users and administrative accounts.
- **Least Privilege:** Conduct a "Least Privilege" audit of Salesforce permissions to ensure users cannot export large datasets without authorization.
- **CASB Deployment:** Implement a Cloud Access Security Broker (CASB) to monitor and block anomalous data transfers from SaaS applications.
- **Credential Hygiene:** Use password managers and enforce frequent rotation of service account tokens.