Full Report
In April 2026, the commercial real estate brokerage firm Marcus & Millichap was named as one of multiple alleged victims of the ShinyHunters hacking and extortion group. Data alleged to have been obtained from the company was subsequently released publicly and included 1.8M unique email addresses, along with names, phone numbers and employment-related information including employer, job title and physical company address. In their disclosure notice, Marcus & Millichap advised that data which may have been accessed appeared limited to "company forms, templates, marketing materials, and general contact information".
Analysis Summary
# Incident Report: Marcus & Millichap Data Exfiltration by ShinyHunters
## Executive Summary
In April 2026, the commercial real estate brokerage firm Marcus & Millichap suffered a data breach attributed to the threat group ShinyHunters. The incident resulted in the public release of approximately 1.8 million unique records containing employee and contact information. While the company characterizes the data as general marketing and contact materials, the exposure includes significant PII such as names, phone numbers, and physical addresses.
## Incident Details
- **Discovery Date:** April 2026 (public naming by threat actor)
- **Incident Date:** April 2026
- **Affected Organization:** Marcus & Millichap
- **Sector:** Commercial Real Estate
- **Geography:** United States (Headquartered in Calabasas, CA)
## Timeline of Events
### Initial Access
- **Date/Time:** Circa April 2026
- **Vector:** Not explicitly disclosed (ShinyHunters typically utilizes credential stuffing or exploitation of misconfigured cloud storage/GitHub repositories).
- **Details:** The threat group ShinyHunters identified Marcus & Millichap as one of several victims in a multi-company extortion campaign.
### Lateral Movement
- **Details:** Information not publicly disclosed in the provided article; however, the scope of data suggests access to centralized contact databases or marketing repositories.
### Data Exfiltration/Impact
- **Details:** Roughly 1.8 million unique records were exfiltrated and subsequently released publicly on the internet after extortion attempts were made.
### Detection & Response
- **How it was discovered:** Discovery occurred when the threat group publicly named the firm as a victim and leaked a portion of the data.
- **Response actions taken:** Marcus & Millichap issued a disclosure notice to stakeholders and investigated the scope of the accessed files.
## Attack Methodology
- **Initial Access:** Often associated with compromised API keys or cloud credentials (based on historical ShinyHunters TTPs).
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Not disclosed.
- **Discovery:** ShinyHunters typically target large-scale databases and cloud storage buckets.
- **Lateral Movement:** Not disclosed.
- **Collection:** Gathering of marketing materials, company forms, and contact lists.
- **Exfiltration:** Large-scale extraction of over 1.8 million records via external cloud or web interfaces.
- **Impact:** Extortion and public data leak.
## Impact Assessment
- **Financial:** Potential for regulatory fines and increased costs for identity monitoring services for affected individuals.
- **Data Breach:** High volume (1.8 million records) involving names, email addresses, phone numbers, job titles, and employers.
- **Operational:** Minimal reported disruption to core brokerage operations.
- **Reputational:** Moderate; while the company claims data was "general contact information," the volume of the leak attracts significant public and media attention.
## Indicators of Compromise
- **Network indicators:** None provided in the source text.
- **File indicators:** Data leak samples appearing on forums managed by ShinyHunters.
- **Behavioral indicators:** Unusual large-scale egress traffic to cloud storage providers (inferred).
## Response Actions
- **Containment measures:** Investigated the extent of the unauthorized access to determine which servers/repositories were compromised.
- **Eradication steps:** Not explicitly detailed, but involved securing affected company forms and templates.
- **Recovery actions:** Issued a public disclosure notice and advised affected parties of the limited nature of the breach.
## Lessons Learned
- **Key takeaways:** Even "general contact information" and "marketing templates" can be aggregated to form a significant data breach that damages a brand's reputation.
- **What could have been done better:** Stricter access controls on public-facing or cloud-hosted company forms and templates might have prevented the large-scale scraping of 1.8 million records.
## Recommendations
- **Cloud Security:** Implement strict IAM (Identity and Access Management) policies and ensure no public-facing S3 buckets or repositories contain PII.
- **Multi-Factor Authentication (MFA):** Ensure MFA is enforced on all corporate accounts to prevent the common ShinyHunters tactic of credential reuse.
- **Data Minimization:** Regularly audit stored marketing data and purge old contact lists that are no longer required for business operations.
- **Monitoring:** Implement anomaly detection for large-scale data exfiltration, especially regarding "low-value" assets like templates and forms which may be overlooked.