Marcus & Millichap Breach: 1.8M Records Exposed (2026)

Overview

On April 14, 2026, commercial real estate brokerage Marcus & Millichap confirmed a data breach affecting over 1.8 million individuals. The ShinyHunters hacking group claimed responsibility, posting stolen data publicly after an extortion attempt. The company’s disclosure stated that compromised data was limited to “company forms, templates, marketing materials, and general contact information,” but the leaked records include detailed personal and professional information for hundreds of thousands of business contacts, clients, and partners.

What Was Exposed

The breached dataset contains 1,837,078 unique email addresses along with:

• Full names – first and last names of individuals
• Phone numbers – direct dial and mobile numbers
• Employer names – current or previous companies
• Job titles – professional positions held
• Company addresses – physical business locations

Marcus & Millichap’s official statement downplays the scope, but the exposed data goes far beyond generic templates. The records appear to come from the company’s CRM system, contact databases, and business correspondence logs.

Potential Impact

While no financial data or Social Security numbers were directly exposed, the risks are significant:

• Phishing and spear-phishing attacks – With names, employers, and job titles, attackers can craft highly convincing targeted emails impersonating business partners or the company itself
• Business email compromise (BEC) – Fraudsters may use stolen contact details to impersonate executives or clients, requesting wire transfers or sensitive information
• Social engineering – Phone numbers and professional context enable direct calls to employees, vendors, or clients, posing as IT support or a colleague
• Reputational damage – Real estate professionals rely on trust and confidentiality; this breach erodes confidence in the firm’s data protection practices

Affected individuals may experience increased spam, unsolicited calls, or targeted scams leveraging their professional identity.

Recommendations

1. Enable two-factor authentication (2FA) on all email and business accounts - especially if you use the same email for banking or client communications
2. Beware of targeted messages - Do not click links or open attachments from unexpected emails referencing Marcus & Millichap or your real estate dealings
3. Monitor for identity misuse - Check if your email appears in other breaches using a free service (see below)
4. Update passwords - Change passwords for any accounts where you used the same email as your Marcus & Millichap contact
5. Report suspicious activity - If you receive a strange email or call referencing this breach, forward it to the company’s security team or your IT department

How to Check If You’re Affected

Visit Have I Been Pwned and enter your email address. The site will show if your data appears in this breach. Marcus & Millichap has not provided a direct notification tool, but affected individuals should assume their information is now public.

Security Insight

This breach reveals a recurring pattern in the real estate industry: companies often treat professional contact information as low-sensitivity data, ignoring its value to attackers for phishing and impersonation schemes. Unlike retail breaches that expose credit cards, this leak weaponizes trust - when fraudsters know your boss’s name and your job title, a fraudulent wire transfer request becomes dangerously convincing. Marcus & Millichap’s minimal disclosure suggests they either underestimated the breach’s scope or prioritized minimizing legal liability over transparency, a common but damaging approach in the current cybersecurity news landscape.

Further Reading

• All High Breaches
• Recent Data Breaches