Marcus & Millichap, a commercial real estate brokerage, had data on approximately 1.8 million individuals exposed after being named as an alleged victim of the ShinyHunters hacking group in April 2026.
What happened
According to HIBP, in April 2026 the commercial real estate brokerage firm Marcus & Millichap was identified as one of several alleged victims of the ShinyHunters hacking and extortion group. Data purportedly obtained from the company was subsequently released publicly.
In their own disclosure notice, Marcus & Millichap stated that the data potentially accessed appeared limited to company forms, templates, marketing materials, and general contact information.
What was exposed
According to HIBP, the released data included approximately 1.8 million unique email addresses, along with names, phone numbers, and employment-related details such as employer names, job titles, and physical company addresses.
Who is affected
Around 1.8 million individuals are affected, primarily those whose contact and professional information was held in Marcus & Millichap's systems. This likely includes clients, business contacts, and industry professionals.
What to do now
If you have ever provided contact information to Marcus & Millichap, be alert for phishing emails or unsolicited calls that use your personal or professional details. Consider updating passwords on any accounts that share credentials with services you may have registered using your work email. Monitor for suspicious communications that reference your employer or job title, as this information could be used in targeted social engineering attacks.