Back to Blog
medium severity April 12, 2026 · 1.8M affected

Marcus & Millichap Data Breach (2026)

In April 2026, the commercial real estate brokerage firm Marcus & Millichap was named as one of multiple alleged victims of the ShinyHunters hacking and extortion group. Data alleged to have been obtained from the company was subsequently released publicly and included 1.8M unique email addresses, along with names, phone numbers and employment-related information including employer, job title and physical company address. In their disclosure notice, Marcus & Millichap advised that data which may have been accessed appeared limited to "company forms, templates, marketing materials, and general

⚠ Were you affected?
Free email scanner — we check your address against 15.4B+ leaked records in 15 seconds.
Run free scan →
Severity Medium
Disclosed April 12, 2026
Affected 1.8M
Data exposed Email addressesEmployersJob titlesNamesPhone numbersPhysical addresses

On April 12, 2026, commercial real estate brokerage firm Marcus & Millichap confirmed it was among the latest targets of the ShinyHunters hacking group, with 1.8 million unique email addresses and related personal records released publicly.

Confirmed Facts from Reporting

Public reporting indicates the exposed dataset contained names, phone numbers, physical addresses, employers, and job titles. Marcus & Millichap stated that the accessed material appeared limited to company forms, templates, marketing materials, and general business information rather than sensitive client financial records. The breach notification followed the group’s typical pattern of posting samples before releasing the full archive. Industry research from sources such as DoxxScan™ continuous monitoring lists the incident with 1.8M affected records. No evidence has surfaced that payment-card data or Social Security numbers were included.

Why This Matters for You and Your Family

When a breach exposes names, phone numbers, physical addresses, and job titles together, it creates a ready-made profile that scammers, stalkers, or identity thieves can use immediately. If you or anyone in your household has done business with Marcus & Millichap, your contact details may now sit in multiple criminal databases. That information often spreads from one attacker to the next, increasing the chance of phishing texts, spoofed calls from someone claiming to be your “broker,” or unwanted mail at home. Children’s accounts can also become targets when family addresses and parent names are public, turning a single corporate leak into a household risk.

The Doxxing and Identity-Chain Implications

Once names, emails, phones, and addresses are public, attackers can link them across social media, gaming platforms, and people-search sites. A single leaked work email can reveal your username on other services, which in turn exposes your children’s gaming handles if the same password or security questions were reused. These chains allow doxxing that starts with a real estate transaction and ends with harassment at home or school. Credential leaks like this one frequently cascade into account takeovers precisely because the supporting personal details make password resets and social engineering far easier.

ShinyHunters Track Record

Public reporting attributes the group’s emergence to 2020. ShinyHunters has claimed responsibility for breaches at numerous consumer-facing companies, often focusing on large user databases. Their typical playbook involves initial access through compromised credentials or unpatched web applications, followed by exfiltration of customer and employee records. They then demand ransom and, if unpaid, publish the data on leak sites or sell it privately. The Marcus & Millichap incident follows this pattern, with samples posted before full release.

What to do

  • Run a DoxxScan to map every link between your handles, emails, phone numbers, and real identity, then use the no-subscription cleanup to remove what you can.
  • Rotate the password used at Marcus & Millichap anywhere it is reused and enable 2FA through an authenticator app rather than text messages.
  • Enable continuous DoxxScan monitoring across 15.4B+ breach records and 100+ platforms so the next exposure of your information is caught in hours, not months.
  • Cover the household with DoxxScan family coverage that extends to dependents and children’s gaming accounts that often chain back to the same address and parent details.
  • Let remediation specialists handle takedown requests across data brokers and leak sites for you while you focus on securing accounts.

The incident shows how quickly business data becomes personal risk when names, addresses, and contact details escape corporate control. Taking deliberate steps now limits how far the exposed information can travel. DoxxScan by GalaxyWarden delivers continuous monitoring across 15.4 billion breach records and more than 100 platforms, AI-powered identity-chain mapping that connects online handles to real identities, and hands-on remediation by specialists, with household coverage that includes children’s gaming accounts vulnerable to the same credential cascades seen in this breach.

Share this Post on X Reddit Email
Why this isn’t just another breach checker

A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.

Free checker Tells you the breach happened. End of story. You’re still on 800+ broker sites.
$129+/yr Broker-removal services scrub the address but don’t see the breach — next leak re-exposes you.
GalaxyWarden Maps the chain. Cleans both halves. $19 one-shot. Closed loop.

⚠ Were you in this breach?

Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.

Check my email — free →
Close the chain attack

Both halves of the chain, cleaned once.

A breach put your credentials in 15.4B+ leaked records. Hackers chain that data to your address on 800+ broker sites. GalaxyWarden closes both halves for $19 once — no subscription required.

Clean both halves — $19 →
Free breach scan + 800+ broker letters + 30-day proof · one payment, no subscription
W Warden Plus — ongoing monitoring $9.99/mo
Warden Plus ($9.99/mo or $99/yr): weekly re-scans, breach alerts, AI Concierge, auto re-files on relisted brokers.