leak-confirmed - TrustStrike Labs

breach

2026-05-03

Commercial real estate broker Marcus & Millichap data leaked publicly - 1.8 million records including job titles for follow-on phishing

Marcus & Millichap customer data was leaked publicly after the company refused to pay ShinyHunters' extortion demand. Have I Been Pwned added the breach yesterday with 1,837,078 unique email addresses, plus names, phone numbers, employer names, job titles, and company addresses. Marcus & Millichap is a major US commercial real estate brokerage that closed $50.9 billion in transactions in 2025. The company says the leaked data 'appeared limited to company forms, templates, marketing materials, and general contact information' but ShinyHunters originally claimed 30 million Salesforce records. The leak extends the ShinyHunters wave that already published Pitney Bowes, Carnival, Udemy, ADT, and ZenBusiness.

marcus-millichap shinyhunters commercial-real-estate leak-confirmed 1-8m-records job-titles wire-fraud-risk extortion-wave

Check: If you've ever interacted with Marcus & Millichap as a buyer, seller, or broker, watch for highly-targeted phishing referencing real property listings or transaction history over the next 90 days.
Affected: Marcus & Millichap clients - commercial real estate buyers, sellers, brokers, and prospects whose employer and job title data is now public. Acute risk: real estate scammers running 'wire transfer fraud' against named buyers using the leaked job titles and employer names to make spear-phishing convincing. Lenders and title companies that worked transactions with Marcus & Millichap face downstream exposure.
Fix: Treat any Marcus & Millichap email referencing your real role or company as potentially hostile - call known contacts via published phone numbers to verify. For real estate professionals: enable wire transfer verification protocols requiring out-of-band confirmation. Lenders and title companies should add Marcus & Millichap-themed lookalike domains to phishing detection. Affected individuals can monitor through HIBP.

breach

2026-05-02

Mark Cuban-backed business filing service ZenBusiness leaked - 5 million customer records now public after ShinyHunters extortion failed

ZenBusiness customer data is now public on Have I Been Pwned, with 5,118,184 unique email addresses confirmed - alongside names, phone numbers, and CRM records pulled from Snowflake, Mixpanel, and Salesforce. ShinyHunters had threatened to publish the data in March after a failed extortion attempt; HIBP added the dataset yesterday. ZenBusiness is the AI-driven LLC formation and small business compliance platform backed by Mark Cuban. The breach extends the ShinyHunters wave that's already publicly released Pitney Bowes (8.2M), Carnival (7.5M), Udemy (1.4M), ADT (5.5M), and now ZenBusiness.

zenbusiness shinyhunters mark-cuban llc-formation small-business snowflake mixpanel salesforce leak-confirmed 5m-records

Check: If you used ZenBusiness to set up an LLC, treat any inbound communication referencing your real business name, formation date, or registered agent details as potentially hostile.
Affected: ZenBusiness customers - mostly small business owners, freelancers, and startup founders. The leak includes business formation details that uniquely identify the type of business you set up. Acute risk: small business owners targeted by 'compliance reminder' phishing referencing their real EIN, registered agent address, or annual report deadline.
Fix: Reset ZenBusiness account passwords and rotate any password reused on other accounts. Watch state filing systems for unauthorized changes to your registered agent or business address - attackers can hijack LLCs by changing these. Treat any 'urgent compliance notice' email as potentially hostile. For LLCs holding valuable assets, consider freezing changes through your secretary of state's office where supported.

breach

2026-04-27

Pitney Bowes customer and employee data leaked publicly - 8.2 million email addresses plus internal records with employee job titles

Pitney Bowes customer and employee data was leaked publicly after the company refused to pay ShinyHunters' extortion demand. Have I Been Pwned added the breach yesterday with 8.2 million unique email addresses, plus names, phone numbers, and physical addresses. A subset includes Pitney Bowes employee records with job titles - a useful starter pack for highly-targeted phishing against named staff. The data came from a misconfigured Salesforce Experience Cloud 'Guest User' permission that let unauthenticated visitors query CRM records directly. ShinyHunters had posted Pitney Bowes on its leak site April 18 with a three-day deadline.

pitney-bowes shinyhunters salesforce-experience-cloud guest-user misconfiguration leak-confirmed employee-records extortion

Check: If your organization uses Salesforce Experience Cloud, audit Guest User permissions today and remove read access from CRM objects that don't need to be public.
Affected: Pitney Bowes customers (8.2M email addresses, names, phones, addresses now public) and employees with job titles in the leak. Any organization running Salesforce Experience Cloud with default Guest User permissions has the same exposure - this is a configuration failure, not a Salesforce flaw.
Fix: Run Salesforce's Guest User Permissions report and tighten anything reading customer or contact data. Confirm no Experience Cloud public site exposes Account, Contact, Lead, or Case objects without a clear public-data reason. Pitney Bowes employees should treat 'CEO needs you to wire' messages with extra suspicion - your name and title are now public.

breach

2026-04-27

ADT customer breach details now public on Have I Been Pwned - 5.5 million records confirmed, more than the 10 million ShinyHunters originally claimed but with worse data

Update on the ADT breach we covered April 25: Have I Been Pwned added the leaked dataset yesterday with 5,488,888 unique email addresses confirmed - lower than ShinyHunters' original 10 million claim but still the largest US home-security customer leak on record. Beyond the email, name, phone, and address fields ADT originally disclosed, the leak includes details ADT downplayed: account creation dates, premise types, internal account flags, ADT installer IDs, and prospect/customer status. None catastrophic alone, but combined gives attackers enough context to run convincing 'security audit' phone scams against named customers with real install dates and installer names.

adt shinyhunters leak-confirmed installer-ids social-engineering follow-up 5-5m-records update

Check: If you're an ADT customer, treat any inbound call referencing your real install date or installer name as hostile - those details are now public.
Affected: All 5,488,888 ADT customers and prospects - now indexable on HIBP. Acute risk for customers whose installer IDs are in the leak: scammers can call referencing 'Mike from your install on March 14, 2022' and sound legitimate enough to social-engineer security code resets. Elderly customers and high-value households are the highest-risk segment for follow-on physical security scams.
Fix: ADT customers should set a verbal codeword with ADT's real customer service line and refuse to verify identity to any inbound caller without it. Treat any 'free security upgrade' as a scam unless you initiated the call. Brief elderly family members specifically - they're the prime target for follow-on scams using leaked install details. Pressure ADT for credit monitoring if the SSN/Tax ID subset includes you.

breach

2026-04-26

Udemy customer and instructor data leaked publicly after ShinyHunters' extortion deadline expires - 1.4 million records including PayPal payout details

Online learning giant Udemy's customer and instructor data was leaked publicly today after the company refused to pay ShinyHunters' extortion demand. Have I Been Pwned added the breach yesterday with 1.4 million unique email addresses. The dataset goes well beyond contact information: it includes full names, physical addresses, phone numbers, employer details, and instructor payout methods - PayPal email addresses, mailing addresses for cheques, and bank transfer details. Udemy was listed on ShinyHunters' 'pay or leak' portal April 24 with a three-day deadline. The company has not publicly confirmed the breach or said how attackers got in.

udemy shinyhunters extortion instructor-payouts paypal education leak-confirmed

Check: Reset your Udemy password if you have an account, especially if you're an instructor with payout details on file, and watch for highly targeted phishing.
Affected: Udemy customers and instructors with accounts before April 2026, particularly instructors whose PayPal addresses, cheque mailing addresses, and bank transfer details are in the leak. Any organization using Udemy for staff training has employee details exposed and should expect tailored phishing referencing real course history.
Fix: Reset Udemy passwords and rotate any password reused on other accounts. Instructors should monitor PayPal and bank accounts and contact PayPal to flag the email as compromised. Brief staff that any 'Udemy' email referencing their real course history is potentially hostile - go to udemy.com directly rather than clicking links. Add Udemy lookalike domains to your DMARC monitoring.