Commercial real estate broker Marcus & Millichap data leaked publicly - 1.8 million records including job titles for follow-on phishing

Marcus & Millichap customer data was leaked publicly after the company refused to pay ShinyHunters' extortion demand. Have I Been Pwned added the breach yesterday with 1,837,078 unique email addresses, plus names, phone numbers, employer names, job titles, and company addresses. Marcus & Millichap is a major US commercial real estate brokerage that closed $50.9 billion in transactions in 2025. The company says the leaked data 'appeared limited to company forms, templates, marketing materials, and general contact information' but ShinyHunters originally claimed 30 million Salesforce records. The leak extends the ShinyHunters wave that already published Pitney Bowes, Carnival, Udemy, ADT, and ZenBusiness.

Check

If you've ever interacted with Marcus & Millichap as a buyer, seller, or broker, watch for highly-targeted phishing referencing real property listings or transaction history over the next 90 days.

Affected

Marcus & Millichap clients - commercial real estate buyers, sellers, brokers, and prospects whose employer and job title data is now public. Acute risk: real estate scammers running 'wire transfer fraud' against named buyers using the leaked job titles and employer names to make spear-phishing convincing. Lenders and title companies that worked transactions with Marcus & Millichap face downstream exposure.

Fix

Treat any Marcus & Millichap email referencing your real role or company as potentially hostile - call known contacts via published phone numbers to verify. For real estate professionals: enable wire transfer verification protocols requiring out-of-band confirmation. Lenders and title companies should add Marcus & Millichap-themed lookalike domains to phishing detection. Affected individuals can monitor through HIBP.