ShinyHunters has claimed a breach of commercial real estate giant Marcus & Millichap, alleging the theft of more than 30 million Salesforce records containing personally identifiable information and internal corporate data. The listing, surfaced April 25, 2026, follows the group's now-familiar extortion playbook: data offered for sale after the victim allegedly refused to negotiate. Marcus & Millichap has not publicly confirmed the incident.
What Happened
On April 25, 2026, ShinyHunters posted a claim alleging compromise of Marcus & Millichap's Salesforce environment. The actor stated negotiations with the company had failed, prompting the release of the dataset. The post referenced "interesting and compromising data" within the cache but did not provide a field-level breakdown, sample records, or other independently verifiable proof.
The claim slots into a broader, ongoing ShinyHunters campaign targeting Salesforce instances across multiple sectors. Recent listings have implicated Zara, 7-Eleven, and Pitney Bowes, with several victims subsequently seeing data published after extortion deadlines lapsed. The Marcus & Millichap entry follows that same operational pattern.
What Was Taken
According to the listing, the dataset comprises:
- More than 30 million Salesforce records
- Personally identifiable information (PII) tied to clients and contacts
- Internal corporate data described as "interesting and compromising"
Given Marcus & Millichap's role as one of the largest commercial real estate brokerages in North America, the records likely encompass investor contact details, broker correspondence, transaction pipelines, listing metadata, and financial particulars associated with commercial property deals. No sample has been published, so the exact composition and recency of the data remain unverified.
Why It Matters
Commercial real estate data carries unusual downstream risk. Investor identities, deal pipelines, valuations, and counterparty communications are commercially sensitive and can be weaponized for fraud, business email compromise, market manipulation, or competitive intelligence. A 30-million-record CRM dump from a top-tier brokerage would expose not only Marcus & Millichap clients but the broader network of investors, lenders, and operators who interact with the firm.
The incident also reinforces that ShinyHunters' Salesforce-focused campaign is not slowing. The pattern of social-engineering driven OAuth abuse and connected-app token theft against Salesforce tenants has produced a steady cadence of high-volume disclosures, and CRM platforms remain a soft underbelly even at organizations with mature perimeter defenses.
The Attack Technique
ShinyHunters has not disclosed an intrusion vector for the Marcus & Millichap claim. However, the group's recent Salesforce-themed listings have consistently traced back to a common tradecraft set:
- Voice phishing (vishing) of helpdesk and sales operations staff to obtain Salesforce credentials or push approval of malicious connected apps
- Abuse of OAuth-authorized tooling, including modified Data Loader variants, to bulk-exfiltrate objects via the Salesforce Bulk API
- Pivoting through SSO and federated identity to evade native Salesforce session anomaly detection
- Staged extortion: silent exfil, private negotiation, then public listing once the victim refuses payment
Until Marcus & Millichap or external responders publish indicators, attribution of vector here remains inferential.
What Organizations Should Do
- Audit all connected apps and OAuth tokens in your Salesforce tenant. Revoke any unrecognized integrations and require admin approval for new connected app installations.
- Restrict Bulk API and Data Loader access to a narrowly scoped set of accounts, IP-restrict those accounts, and alert on large-volume export jobs.
- Enforce phishing-resistant MFA (FIDO2/WebAuthn) for all Salesforce administrators and high-privilege users; assume SMS and TOTP are compromised in social-engineering scenarios.
- Train helpdesk and sales-ops teams specifically on vishing scenarios that request password resets, MFA bypass, or connected app approvals; require out-of-band verification for any such request.
- Deploy Salesforce Shield Event Monitoring or equivalent to log API calls, login anomalies, and report exports, and stream those events into the SIEM with detections for bulk extraction patterns.
- Inventory PII held in Salesforce, minimize what is retained, and engage counsel on disclosure obligations under applicable state breach-notification laws if your organization is downstream of Marcus & Millichap as a counterparty.