Marcus & Millichap Data Breach (2026)
In April 2026, the commercial real estate brokerage firm Marcus & Millichap was named as one of multiple alleged victims of the ShinyHunters hacking and extortion group. Data alleged to have been obtained from the company was subsequently released publicly and included 1.8M unique email addresses, along with names, phone numbers and employment-related information including employer, job title and physical company address. In their disclosure notice, Marcus & Millichap advised that data which may have been accessed appeared limited to "company forms, templates, marketing materials, and general
On April 12, 2026, commercial real estate brokerage firm Marcus & Millichap confirmed it was among the latest targets of the ShinyHunters hacking group, with 1.8 million unique email addresses and related personal records released publicly.
Confirmed Facts from Reporting
Public reporting indicates the exposed dataset contained names, phone numbers, physical addresses, employers, and job titles. Marcus & Millichap stated that the accessed material appeared limited to company forms, templates, marketing materials, and general business information rather than sensitive client financial records. The breach notification followed the group’s typical pattern of posting samples before releasing the full archive. Industry research from sources such as DoxxScan™ continuous monitoring lists the incident with 1.8M affected records. No evidence has surfaced that payment-card data or Social Security numbers were included.
Why This Matters for You and Your Family
When a breach exposes names, phone numbers, physical addresses, and job titles together, it creates a ready-made profile that scammers, stalkers, or identity thieves can use immediately. If you or anyone in your household has done business with Marcus & Millichap, your contact details may now sit in multiple criminal databases. That information often spreads from one attacker to the next, increasing the chance of phishing texts, spoofed calls from someone claiming to be your “broker,” or unwanted mail at home. Children’s accounts can also become targets when family addresses and parent names are public, turning a single corporate leak into a household risk.
The Doxxing and Identity-Chain Implications
Once names, emails, phones, and addresses are public, attackers can link them across social media, gaming platforms, and people-search sites. A single leaked work email can reveal your username on other services, which in turn exposes your children’s gaming handles if the same password or security questions were reused. These chains allow doxxing that starts with a real estate transaction and ends with harassment at home or school. Credential leaks like this one frequently cascade into account takeovers precisely because the supporting personal details make password resets and social engineering far easier.
ShinyHunters Track Record
Public reporting attributes the group’s emergence to 2020. ShinyHunters has claimed responsibility for breaches at numerous consumer-facing companies, often focusing on large user databases. Their typical playbook involves initial access through compromised credentials or unpatched web applications, followed by exfiltration of customer and employee records. They then demand ransom and, if unpaid, publish the data on leak sites or sell it privately. The Marcus & Millichap incident follows this pattern, with samples posted before full release.
What to do
- Run a DoxxScan to map every link between your handles, emails, phone numbers, and real identity, then use the no-subscription cleanup to remove what you can.
- Rotate the password used at Marcus & Millichap anywhere it is reused and enable 2FA through an authenticator app rather than text messages.
- Enable continuous DoxxScan monitoring across 15.4B+ breach records and 100+ platforms so the next exposure of your information is caught in hours, not months.
- Cover the household with DoxxScan family coverage that extends to dependents and children’s gaming accounts that often chain back to the same address and parent details.
- Let remediation specialists handle takedown requests across data brokers and leak sites for you while you focus on securing accounts.
The incident shows how quickly business data becomes personal risk when names, addresses, and contact details escape corporate control. Taking deliberate steps now limits how far the exposed information can travel. DoxxScan by GalaxyWarden delivers continuous monitoring across 15.4 billion breach records and more than 100 platforms, AI-powered identity-chain mapping that connects online handles to real identities, and hands-on remediation by specialists, with household coverage that includes children’s gaming accounts vulnerable to the same credential cascades seen in this breach.
Related breaches
Match Group (Tinder, Hinge, OkCupid) Data Breach — January 2026
ShinyHunters claimed responsibility for stealing over 10 million Match Group user records in early 2…
Crunchbase Massive Personal Records Leak — January 2026
ShinyHunters exfiltrated approximately 2 million records from the business-intelligence platform Cru…
149 Million Credential Mega-Exposure — January 2026
Security researchers discovered a publicly exposed 96 GB database with 149 million unique logins cov…
A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.
⚠ Were you in this breach?
Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.
Check my email — free →