-
ShinyHunters named Marcus & Millichap in a “pay or leak” extortion campaign, exposing 1.8 million records containing emails, names, phone numbers, and employment details.
-
The hacking group has targeted nine major brands including Zara, 7-Eleven, and Carnival Corporation, threatening to release over 9 million records if ransoms go unpaid.
-
Experts warn that 70% of the exposed Marcus & Millichap records already exist in breach databases, putting millions at compounding risk of fraud and identity theft.
ShinyHunters, the hacking group behind some of the biggest data breaches in recent years, has added Marcus & Millichap to its growing list of victims. The commercial real estate brokerage confirmed unauthorized access to one of its systems in April 2026, after hackers launched a phishing attack targeting an employee’s login credentials.
The breach exposed 1.8 million unique email addresses, along with names, phone numbers, and employment-related details including job titles, employer names, and physical company addresses.
According to Have I Been Pwned, the breach monitoring platform, 70% of those exposed records already existed in its database from previous leaks, meaning millions of people are now doubly at risk.
ShinyHunters Threatens to Release Over 9 Million Records
Marcus & Millichap was not the only target. ShinyHunters announced a sweeping extortion campaign against nine major brands, warning that it would release more than 9 million records containing personally identifiable information and internal data if the demanded ransoms remained unpaid by April 21.
The affected companies include convenience store chain 7-Eleven, fashion retailer – Zara, cruise line operator Carnival Corporation, international ecommerce brand Pitney Bowes, ultra-luxury hospitality brand Aman Resorts, financial services company Canada Life Assurance, and Marcus & Millichap.
The group exploited different entry points for each company. ShinyHunters breached Zara’s BigQuery instances through Israeli AI analytics firm Anodot, the same attack vector they previously used to infiltrate Rockstar Games’ Snowflake environment.
Inditex, Zara’s parent company, confirmed it identified unauthorized access to its databases, though it did not name Anodot directly. For 7-Eleven and several other firms, hackers used their Salesforce environments as the point of entry, stealing more than 600,000 records from 7-Eleven alone. ShinyHunters also claimed responsibility for stealing more than 8.7 million records from Carnival Corporation.
The group has already proven it follows through on its threats. U.S. home security provider Alert 360 refused to pay, and ShinyHunters responded by publicly releasing 2.5 million of its customer records.
ShinyHunters isn’t alone in using this tactic. In a separate but strikingly similar campaign, hackers claim theft of 3 million cisco records where they set deadline for data release, demonstrating how cybercriminals are increasingly using data leaks as leverage to extort major technology companies under tight deadlines.
What Marcus & Millichap Has Said
Marcus & Millichap disclosed the breach on April 12, 2026. According to the company’s disclosure notice, the data hackers may have accessed appears limited to company forms, templates, marketing materials, and general contact information. The company activated its incident response protocols immediately, bringing in outside cybersecurity experts to contain the activity. It also confirmed that its systems and operations continued running normally, with no sign of disruption.
In an update issued on April 24, Marcus & Millichap confirmed it had notified law enforcement and committed to full cooperation with authorities. The company maintained it was keeping strong safeguards in place across all its systems.
The company’s framing of the breach as limited to general contact information, however, stands in contrast to what the stolen data actually contains. The exposed records carry enough personal and professional detail to fuel targeted phishing attacks, identity fraud, and social engineering campaigns at scale.
What You Should Do Now
If you have ever shared your contact details with Marcus & Millichap, or if any of the other named companies hold your data, treat this as a direct threat to your personal security. Take these steps immediately:
- Change your passwords on every account that shares the same credentials you may have used with the affected companies.
- Enable two-factor authentication (2FA) on every platform that supports it. This adds a critical second layer of protection, even if hackers already have your password.
- Use a password manager to generate and store strong, unique passwords for all your accounts. Reusing passwords across platforms is one of the fastest ways criminals exploit a breach.
Data from these kinds of breaches does not disappear. Criminals trade and resell it for months, sometimes years, after the initial leak. The 70% overlap with Have I Been Pwned’s existing database shows that old breaches keep finding new victims. Getting ahead of it now matters.
