Berkadia Data Breach Exposes Names, Emails, and Phone Numbers

Real Estate data breach illustration
Breach Discovery: 19th March 2026Breach Notification: Not Publicly Disclosed

What Happened in the Berkadia Data Breach?

Berkadia, a major commercial real estate finance company, became the target of a data extortion campaign in March 2026. The group behind the attack, known as ShinyHunters, ran what is often called a “pay or leak” scheme. This means the attackers demanded payment and threatened to publish stolen data if Berkadia refused to pay.

According to available information, the Berkadia data breach involved unauthorized access to the company’s Salesforce instance. Salesforce is a customer relationship management platform many businesses use to store client and contact information. As a result, the attackers were able to pull large amounts of data directly from that system.

The breach came to light on or around March 19, 2026, when ShinyHunters published data they claimed came from Berkadia’s Salesforce environment. Because the group posted this information publicly, the incident became widely known rather than staying a quiet internal matter. It remains unclear exactly how the attackers first gained access to the Salesforce instance, and Berkadia has not publicly detailed its full forensic investigation.

However, the publication of stolen records serves as strong evidence that the intrusion was real and that data exfiltration occurred. This distinguishes the Berkadia data breach from incidents involving mere system downtime or unconfirmed access attempts. In this case, attackers actually removed and released sensitive information.

Who was affected?

attP>

The Berkadia data breach appears to primarily affect individuals whose contact information was stored within the company’s Salesforce system. This likely includes clients, business contacts, and possibly employees who interacted with Berkadia’s commercial real estate finance services. Because Salesforce often houses broad contact databases, the exposed population could span many different relationships with the firm.

Reports indicate that more than 300,000 unique email addresses were included in the leaked data. This suggests a substantial number of people were affected, even though Berkadia has not released an official victim count. As a result, individuals across the country who have had any dealings with Berkadia should consider themselves potentially impacted.

In addition, because the data includes employer information alongside personal details, professional contacts and business relationships tied to the affected accounts may also be exposed indirectly. The geographic scope has not been publicly disclosed, but given Berkadia’s national commercial real estate finance business, affected individuals are likely spread across the United States.

What Information Was Potentially Exposed?

The data published by ShinyHunters reportedly includes several categories of personal and professional information. This information could be used by bad actors to craft convincing scams or attempt further unauthorized access to other accounts.

  • Email addresses
  • Full names
  • Phone numbers
  • Physical addresses
  • Employer information

Although this breach does not appear to include Social Security numbers or financial account details based on currently available information, the exposed data still carries real risk. For example, attackers can combine names, phone numbers, and addresses to impersonate trusted contacts or Berkadia representatives. This makes phishing and social engineering attacks more convincing and harder to spot.

Furthermore, because employer information was included, criminals could use these details to craft targeted business email compromise scams. This means an attacker might pose as a colleague or business partner to trick someone into transferring funds or revealing further sensitive information. Even without financial data directly exposed, this type of contact information can fuel follow-on fraud schemes for months or years after a breach.

What is the company doing?

Berkadia has not published extensive public details about its remediation steps following the extortion attempt. However, the fact that the stolen data was traced to a Salesforce instance suggests the company is likely working to secure that platform and review its third-party application access controls.

In response to incidents like this, companies typically investigate how attackers gained entry, rotate credentials, and review permissions granted to connected applications. Additionally, organizations facing extortion campaigns often consult with cybersecurity firms and legal counsel to determine notification obligations. It has not been publicly disclosed whether Berkadia is offering credit monitoring or identity protection services to affected individuals at this time.

What Should Affected Individuals Do?

Monitor Your Credit Reports

Even though this breach does not appear to include financial account numbers, affected individuals should still check their credit reports regularly. Because personal details like names and addresses were exposed, criminals could attempt to open new accounts using this information combined with data from other breaches.

You can request free credit reports from the three major credit bureaus. Reviewing these reports for unfamiliar accounts or inquiries helps you catch potential identity theft early. If you notice anything suspicious, report it immediately to the credit bureau and consider filing a report with the Federal Trade Commission.

Watch for Phishing and Impersonation Attempts

Because email addresses, names, and phone numbers were exposed, affected individuals should be especially cautious of unexpected emails, texts, or calls. Scammers often use leaked contact details to craft messages that appear to come from a trusted company or colleague.

Therefore, avoid clicking links or downloading attachments from unsolicited messages, even if they look legitimate. Instead, verify any request by contacting the organization directly through a known phone number or website. This simple habit can prevent many follow-on scams tied to data breaches.

Consider a Fraud Alert on Your Credit File

Given the breadth of personal information exposed, placing a fraud alert on your credit file adds an extra layer of protection. A fraud alert requires businesses to verify your identity before opening new credit in your name, which can slow down identity thieves.

This step is free and typically lasts one year, though you can renew it. In addition, individuals particularly concerned about identity theft may want to consider a full credit freeze, which offers even stronger protection by restricting access to your credit file entirely.

Be Cautious With Business and Employer-Related Communications

Since employer information was part of the exposed data, professionals should be alert to targeted scams referencing their workplace. Attackers may use this detail to make phishing attempts seem more credible, especially in business email compromise schemes.

As a result, employees should confirm any unusual financial requests or data requests with colleagues through verified channels. Reporting suspicious messages to your company’s IT or security team also helps protect your broader organization from related attacks.



Related Data Breaches