Marcus & Millichap Breach: ShinyHunters Leaks 1.8M Records

Commercial real estate giant Marcus & Millichap was publicly named in April 2026 as an alleged victim of the ShinyHunters hacking and extortion group. Have I Been Pwned reports that data purportedly obtained from the company was subsequently dumped, exposing 1.8 million unique email addresses. This isn’t just email; the leak includes names, phone numbers, employer details, job titles, and physical company addresses.

Marcus & Millichap’s disclosure notice downplayed the impact, suggesting accessed data was limited to “company forms, templates, marketing materials, and general contact information.” This is a classic move to manage optics, but the reality is far more concerning. Names, employers, job titles, and physical addresses are prime fodder for spear-phishing and social engineering attacks, especially against high-value targets in the real estate sector. Attackers now have a detailed blueprint to craft highly convincing lures.

ShinyHunters continues to hit organizations across various sectors, proving their capability to exfiltrate significant volumes of data. This incident underscores the critical need for robust data segmentation and strict access controls, even for what seems like “general contact information.” Attackers are always looking for the dots to connect, and this type of data provides a lot of them.