ShinyHunters is claiming a data breach involving Marcus & Millichap, Inc., alleging the compromise of more than 30 million Salesforce records containing personally identifiable information and internal corporate data. The claim surfaced April 25, 2026, and follows a broader wave of extortion-linked listings tied to the group’s ongoing campaign.
Alleged Salesforce dataset tied to failed negotiations
According to the listing, the dataset includes over 30 million records and has been made available following what the threat actor describes as failed negotiations with the company. The post frames the release as a consequence of the organization declining to reach an agreement, a pattern consistent with recent ShinyHunters activity.
The actor also references “interesting and compromising data” within the dataset, though no detailed breakdown of data fields has been provided. No sample data or independently verifiable evidence has been publicly shared to confirm the scope of the alleged breach.
Part of a broader Salesforce-focused campaign
The Marcus & Millichap claim aligns with a series of recent incidents involving alleged Salesforce data exposure across multiple organizations. Recent BreachNews reporting documented a coordinated wave impacting companies including Zara, 7-Eleven, and Pitney Bowes, many of which were tied to Salesforce-related data claims.
In several of those cases, ShinyHunters followed through on extortion threats by publishing data after deadlines expired, reinforcing the group’s established pay-or-leak model.
Real estate sector exposure risks
As a major commercial real estate brokerage and investment firm, Marcus & Millichap handles large volumes of client, transaction, and financial data. Any confirmed exposure involving Salesforce systems could potentially impact sensitive business relationships, investor communications, and internal corporate records.
Data tied to real estate transactions often includes personally identifiable information, financial details, and contractual documentation, which may carry both privacy and competitive risks if exposed.
No confirmation from Marcus & Millichap
Marcus & Millichap had not issued any public statement at time of publication regarding the alleged breach or the claims made by ShinyHunters.
As with similar listings, the claim remains unverified and is based solely on threat actor statements. Further developments may emerge if data is released or independently analyzed.
