Marcus & Millichap Breach: 1.8M Records Exposed (2026)

Overview

In April 2026, the commercial real estate brokerage firm Marcus & Millichap was named as one of multiple alleged victims of the ShinyHunters hacking and extortion group. Data claimed to have been obtained from the company was subsequently released publicly, impacting 1,837,078 individuals. The exposed dataset includes email addresses, names, phone numbers, employers, and job titles. While no financial information or Social Security numbers were reported in the breach, the breadth of professional data poses significant risks for targeted phishing and social engineering attacks.

How the Breach Happened

ShinyHunters is a known threat actor group that specializes in breaching corporate databases and extorting companies for ransom. In this case, the attackers claimed responsibility for compromising Marcus & Millichap’s systems and exfiltrating a trove of client, partner, and employee records. The data was later released publicly after negotiations with the company reportedly failed. The exact attack vector — whether through a vulnerability like CVE-2025-12345, credential theft, or phishing — has not been confirmed by the firm.

What Was Exposed

The breach exposed a mix of personal and professional data, including:

• Email Addresses — the most common and actionable piece of data for criminals
• Full Names
• Phone Numbers
• Employer Names
• Job Titles

While not as immediately dangerous as leaked passwords or financial data, this combination is highly valuable for business-related phishing campaigns. Attackers can craft convincing emails that reference your job role, company, or industry contacts.

Identity Theft and Account Takeover Risks

No financial accounts or credentials were reportedly exposed, but the data is ideal for credential stuffing attacks if victims reused passwords across platforms. More concerning is the risk of spear-phishing — attackers can impersonate colleagues, vendors, or industry partners using the exposed details. Phone numbers also enable SMS-based scams (smishing) that feel legitimate because the sender appears to know your professional background.

How to Check If You’re Affected

You can check if your email address was included in the Marcus & Millichap breach by visiting Have I Been Pwned at haveibeenpwned.com. If your email appears, your name, phone number, employer, and job title may also be in the leaked dataset.

What to Do Right Now

1. Enable multi-factor authentication on all business and personal accounts, especially email and communications platforms like Slack or Zoom.
2. Be highly skeptical of unsolicited emails or texts referencing your job title or employer — even if the sender appears to be a real person you know.
3. Monitor for targeted phishing attempts that use your job title or company name as bait. Do not click links or download attachments from unexpected messages.
4. Update your passwords on any accounts where you reuse the same password, even if you haven’t been directly pwned yet.
5. Freeze your credit if you suspect further identity theft risks, though this breach did not include SSNs.

Security Insight

This breach underscores a recurring pattern in the commercial real estate sector: companies often collect extensive professional and contact data from clients and partners without implementing robust security controls to protect it. Unlike credential-led breaches, this exposure of curated professional profiles is tailor-made for business email compromise (BEC) and executive impersonation attacks. For industry peers, this should be a wake-up call to audit third-party vendor access and enforce stronger data retention policies, as ShinyHunters frequently targets companies with weak perimeter defenses.

Further Reading

• All High Breaches
• Recent Data Breaches