Berkadia Breach: 305K Records Leaked by ShinyHunters (2026)

Overview

In March 2026, the commercial real estate finance firm Berkadia suffered a data breach after the extortion group ShinyHunters targeted the company with a “pay or leak” campaign. The attackers claimed to have accessed Berkadia’s Salesforce instance, exfiltrating a database containing over 305,000 unique records. After Berkadia reportedly declined to pay the ransom, ShinyHunters published the stolen data publicly. The leaked information includes email addresses, full names, physical addresses, and phone numbers. The breach was subsequently reported to Have I Been Pwned (HIBP), allowing affected individuals to check their exposure. This incident underscores the growing threat of extortion-focused attacks against business-critical cloud platforms.

What Was Exposed

The exposed dataset contains four primary categories of personally identifiable information (PII):

• Email Addresses: 305,216 unique addresses, enabling phishing and spam campaigns.
• Full Names: Combined with emails, this increases the credibility of social engineering attacks.
• Physical Addresses: Home or business addresses heighten risks of physical mail fraud and doxxing.
• Phone Numbers: Used for SMS phishing (smishing) and robocall scams.

While no financial data or Social Security numbers were reported, the combination of contact details is highly valuable for targeted scams that impersonate Berkadia, its partners, or financial institutions.

How the Breach Happened

ShinyHunters, an established extortion group known for targeting Salesforce and other cloud services, infiltrated Berkadia’s Salesforce instance. The attack vector likely involved compromised credentials, misconfigured API access, or a third-party integration vulnerability. After gaining access, the group exfiltrated the client-facing contact database and demanded payment under threat of public release. When Berkadia did not comply, ShinyHunters published the full dataset on dark web forums, making it freely available to other malicious actors.

Who’s Actually Affected

The breach primarily impacts individuals whose contact information was stored in Berkadia’s Salesforce CRM system. This includes:

• Commercial real estate clients and investors
• Property owners and managers who worked with Berkadia
• Third-party vendors and business partners
• Job applicants or leads who submitted contact details

Because Salesforce instances often aggregate data from multiple sources, the actual scope of affected individuals may extend beyond direct Berkadia customers to include contacts from partner organizations. Anyone who has interacted with Berkadia since the Salesforce integration began should consider themselves potentially exposed.

How to Check If You’re Affected

Affected individuals can verify exposure through two primary methods:

1. Have I Been Pwned: Visit haveibeenpwned.com and search your email address. The Berkadia breach is listed in HIBP’s database.
2. Direct Notification: Berkadia is required under data breach notification laws to inform affected individuals. Check your inbox (including spam folders) for official correspondence from Berkadia about the incident.

If your email appears in the breach, assume all associated contact information - name, address, phone number - is compromised.

What to Do Right Now

• Watch for targeted phishing: Expect emails, texts, or calls that reference Berkadia or use your leaked details to appear legitimate. Never click links or provide sensitive information through unsolicited contact.
• Strengthen account passwords: If you use the same password for Berkadia-related accounts (or any account), change it immediately. Enable multi-factor authentication where possible.
• Monitor for identity fraud: Check your credit reports for unauthorized accounts, and consider a credit freeze if you see suspicious activity.
• Be skeptical of phone calls: Scammers may use your leaked phone number to pose as Berkadia representatives. Hang up and call back using a verified number.

Security Insight

Berkadia’s reliance on Salesforce without apparent multi-factor authentication or rigorous API access controls is a cautionary tale for enterprises in regulated industries. The ShinyHunters playbook - targeting CRM systems for extortion rather than immediate credential theft - represents a shift in ransomware tactics that often catches organizations off guard. For comparable breaches, see our coverage of cybersecurity news related to cloud data leaks. Companies that store bulk PII in SaaS platforms must implement strict access logging, least-privilege permissions, and regular third-party security audits to prevent these exposures.

Further Reading

• All High Breaches
• Recent Data Breaches