HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

Berkadia Exposes 305K PII Records After Salesforce Credential Compromise

In March 2026, ShinyHunters extorted Berkadia and published over 300,000 records stolen from its Salesforce instance, including emails, names, addresses, and phone numbers. The breach highlights the need for robust SOC 2 access controls and continuous monitoring of SaaS permissions to maintain audit readiness.

LiveThreat™ Intelligence · 📅 June 15, 2026· 📰 haveibeenpwned.com
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
haveibeenpwned.com

Berkadia Exposes 305K PII Records After Salesforce Credential Compromise

What Happened — In March 2026 ShinyHunters launched a “pay‑or‑leak” extortion campaign against commercial real‑estate finance firm Berkadia. The group later published data they said was extracted from Berkadia’s Salesforce instance, revealing more than 305,000 unique email addresses plus names, physical addresses, phone numbers and employer information.

Why It Matters for Compliance & Audit Readiness

  • The breach is a textbook example of a failure to enforce SOC 2 access‑control criteria for the Security principle – privileged SaaS accounts were not sufficiently protected.
  • Continuous monitoring of credential usage and periodic review of SaaS permission sets provide the audit evidence needed to demonstrate due diligence.
  • Mapping this incident to your SOC 2 controls helps close gaps before auditors or regulators raise the same issue.

Who Is Affected — Commercial‑real‑estate finance firms, and any organization that stores PII in Salesforce or similar SaaS CRM platforms.

Recommended Actions

  • Conduct an immediate review of all Salesforce admin and user permissions; enforce MFA for every privileged account.
  • Deploy continuous credential‑monitoring and log‑analysis to flag anomalous access patterns.
  • Update SOC 2 access‑control policies, capture evidence of permission reviews, and retain it for audit purposes. Source: HIBP Breach Detail

Technical Notes

  • Attack vector: stolen credentials (likely via phishing or credential reuse).
  • Data types exposed: email addresses, names, physical addresses, phone numbers, employer information. Source: HIBP Breach Detail
📰 Original Source
https://haveibeenpwned.com/Breach/Berkadia

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →