Marcus & Millichap Hit by ShinyHunters Extortion Campaign, Exposing 1.8M Email Addresses
In a recent cybersecurity incident, commercial real estate firm Marcus & Millichap was targeted in a "pay or leak" extortion campaign by the hacking group ShinyHunters last month. The breach compromised 1.8 million unique email addresses, along with associated names, phone numbers, and employment-related information.
Approximately 70% of the exposed data was already publicly available on LinkedIn, raising concerns about the overlap between leaked and pre-existing personal information. The incident highlights the risks of data aggregation by third parties, which often use essential and non-essential cookies for service delivery, security, analytics, and targeted advertising practices that can inadvertently expand exposure in breaches.
The breach was documented by Have I Been Pwned, a data breach notification service, further confirming the scope of the leak. While the full impact remains under assessment, the incident underscores the growing threat of extortion-based cyberattacks targeting sensitive corporate and personal data.
Source: https://www.linkedin.com/feed/update/urn:li:activity:7456839179680006144
Marcus & Millichap cybersecurity rating report: https://www.rankiteo.com/company/marcus-&-millichap
"id": "MAR1777854212",
"linkid": "marcus-&-millichap",
"type": "Breach",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '1.8 million unique email '
'addresses',
'industry': 'Commercial Real Estate',
'name': 'Marcus & Millichap',
'type': 'Company'}],
'data_breach': {'number_of_records_exposed': '1.8 million',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Email addresses',
'Names',
'Phone numbers',
'Employment-related '
'information']},
'description': 'Commercial real estate firm Marcus & Millichap was targeted '
"in a 'pay or leak' extortion campaign by the hacking group "
'ShinyHunters. The breach compromised 1.8 million unique email '
'addresses, along with associated names, phone numbers, and '
'employment-related information. Approximately 70% of the '
'exposed data was already publicly available on LinkedIn, '
'raising concerns about data aggregation risks. The incident '
'was documented by Have I Been Pwned, confirming the scope of '
'the leak.',
'impact': {'data_compromised': '1.8 million unique email addresses, names, '
'phone numbers, and employment-related '
'information',
'identity_theft_risk': 'High'},
'lessons_learned': 'Highlights the risks of data aggregation by third parties '
'and the overlap between leaked and pre-existing personal '
'information.',
'motivation': 'Extortion (Pay or leak)',
'references': [{'source': 'Have I Been Pwned'}],
'threat_actor': 'ShinyHunters',
'title': 'Marcus & Millichap Hit by ShinyHunters Extortion Campaign, Exposing '
'1.8M Email Addresses',
'type': 'Extortion'}