ShinyHunters Exfiltrates 1.8 M Records from Marcus & Millichap Commercial Real Estate Brokerage
What Happened – In April 2026 the commercial real‑estate brokerage Marcus & Millichap was identified as a victim of the ShinyHunters hacking and extortion group. The attackers stole and publicly released roughly 1.8 million unique records containing email addresses, names, phone numbers, employers, job titles and physical business addresses.
Why It Matters for TPRM –
- Exposure of contact and employment data can be leveraged for credential‑stuffing, phishing, and business‑email‑compromise attacks against the firm’s clients and partners.
- The breach highlights the risk of third‑party credential compromise in professional‑services firms that handle large volumes of personal data.
- Vendors with similar data‑rich environments may be attractive targets for extortion groups, necessitating stricter access‑control reviews.
Who Is Affected – Commercial real‑estate firms, their clients, partners, and any downstream services that rely on Marcus & Millichap’s contact databases.
Recommended Actions –
- Verify that all shared credentials with Marcus & Millichap are rotated and that MFA is enforced.
- Conduct a data‑classification review to ensure only necessary personal data is stored and that it is encrypted at rest.
- Update third‑party risk questionnaires to include checks for credential‑theft detection and breach‑response capabilities.
Technical Notes – The breach appears to stem from stolen credentials used to access internal repositories of marketing materials and client forms. No specific CVE was disclosed. Exfiltrated data includes email addresses, names, phone numbers, employer names, job titles and physical business addresses. Source: https://haveibeenpwned.com/Breach/MarcusMillichap