Yes — Berkadia (berkadia.com) was breached. The commercial real estate finance firm now appears on Have I Been Pwned with 305,216 accounts tied to a March 2026 incident in which ShinyHunters ran a “pay or leak” extortion campaign against the company’s Salesforce instance.
HIBP added the breach on June 15, 2026. Published data allegedly includes email addresses, names, physical addresses, and phone numbers — the kind of contact graph that makes post-breach impersonation and vendor fraud easier across commercial mortgage workflows.
We scanned berkadia.com to assess email and domain security posture relevant to this leak.
What Happened
According to Have I Been Pwned:
- March 2026 — ShinyHunters targeted Berkadia in a pay-or-leak extortion campaign.
- The group subsequently published data it claimed was taken from Berkadia’s Salesforce environment.
- 305,216 unique email addresses were exposed, along with names, physical addresses, and phone numbers.
- HIBP added the breach on June 15, 2026.
Berkadia is one of the largest commercial real estate finance companies in the U.S. — a joint venture historically linked to Berkshire Hathaway and Jefferies — serving mortgage banking, servicing, and investment sales clients nationwide.

Breach Impact at a Glance
| Field | Detail |
|---|---|
| Victim | Berkadia (berkadia.com) |
| Sector | Commercial real estate finance |
| Threat actor | ShinyHunters |
| Source system | Salesforce (alleged) |
| Accounts affected | 305,216 |
| Breach period | March 2026 |
| Added to HIBP | June 15, 2026 |
| Data types | Emails, names, addresses, phone numbers |
Data at Risk
Exposed records may include:
- Email addresses tied to borrowers, brokers, and internal staff
- Full names and physical addresses
- Phone numbers usable for SMS and voice phishing
- CRM relationship data that maps lenders, servicers, and counterparties
For Texas real estate and mortgage professionals who interact with Berkadia, exposed contact data increases business email compromise and wire-fraud social engineering risk — especially when email identity controls on the domain are weak.

Independent Cybersecurity Audit
We ran an EmailMeNow Cybersecurity Audit of berkadia.com on July 5, 2026:
| Domain | Overall | Identity | Transport | Website | Risk |
|---|---|---|---|---|---|
| berkadia.com | 58% | 25% | 15% | 92% | Average |
Key findings:
- 58% overall (Average) — below the 100% ideal for a finance firm handling sensitive transaction correspondence.
- 25% Identity & Spoofing — weak DMARC/SPF posture makes spoofed
@berkadia.commessages harder to block after a CRM contact leak. - 15% Transport Security — no effective MTA-STS enforcement or TLS-RPT reporting.
- 92% Website Security — strong header posture on the public site, but email transport and identity gaps remain.
Audit link: berkadia.com audit
Priority Actions
- Verify any Berkadia-related wire or document requests through known phone numbers — not reply-to addresses in email.
- Check Have I Been Pwned if you hold a Berkadia portal or CRM account.
- Deploy DMARC
p=rejectand MTA-STS on finance and real-estate domains — see our real estate breach trends. - Review the April 2026 ShinyHunters roundup and HIBP 2026 tracker.
Sources: HIBP — Berkadia · EmailMeNow audit — berkadia.com