crunchbase data breach

Table of Contents

    Tamzid | Cybersecurity Writer

    Published:

    February 8, 2026

    Updated:

    February 8, 2026

    Crunchbase Hit by Massive 2M Record Data Leak

    Crunchbase confirmed a cybersecurity incident after the extortion group ShinyHunters claimed it stole company documents and posted a tranche of data online, part of a broader wave of social engineering intrusions tied to single sign on account takeovers.

    Crunchbase told SecurityWeek it detected a threat actor exfiltrated certain documents from its corporate network, said business operations were not disrupted, and said it contained the incident while it reviewed what data was impacted and whether notifications are required. 

    What Happened in the Crunchbase Hack

    Crunchbase said a threat actor removed certain documents from its corporate network and that the company contained the incident after detection, with systems described as secure and operations continuing normally. The company said it brought in outside cybersecurity specialists and contacted federal law enforcement after it identified the activity. 

    ShinyHunters claimed it stole more than 2 million records that contained personal information and said Crunchbase declined to pay an extortion demand, after which the group posted a compressed archive of files for download on its leak site. SecurityWeek reported that third party analysis of the posted material indicated it included personally identifiable information as well as contracts and other corporate data.

    Crunchbase Breach
    Crunchbase Breach

    Timeline: From First Access To Latest Update

    • Early to mid January 2026
       Google Threat Intelligence observed ShinyHunters-branded activity using voice phishing and victim-branded credential harvest sites to capture single sign-on credentials and MFA codes, followed by data extraction from cloud services for extortion
    • January 22, 2026
       Okta published an advisory detailing real-time voice phishing kits that allow attackers to control browser views during authentication flows and capture credentials and one-time passcodes, noting weaknesses in non-phishing-resistant MFA
    • January 23, 2026
       BleepingComputer reported that ShinyHunters claimed responsibility for a wave of voice phishing attacks against single sign-on accounts across major identity providers, involving IT support impersonation and fake login pages
    • January 26, 2026
       SecurityWeek reported that Crunchbase confirmed a breach after ShinyHunters posted files online and claimed the theft exceeded two million records, with external analysis pointing to exposed PII and corporate documents
    • January 28, 2026
       Reuters reported that Crunchbase was among several US companies affected in the same period, citing a spokesperson who said corporate network documents were impacted and the incident was contained, while noting the attacker claims were not independently verified
    • January 31, 2026
       Google Threat Intelligence issued an update stating the intrusions relied on social engineering rather than vendor vulnerabilities and recommended phishing-resistant authentication such as FIDO2 security keys or passkeys

    What Data Or Systems Were Affected

    Crunchbase has not published a detailed inventory of the impacted documents, but it characterized the affected environment as its corporate network rather than its customer facing operations and said business operations were not disrupted.

    SecurityWeek cited analysis that the leaked materials appeared to include personally identifiable information, contracts, and other internal corporate data, which is consistent with the pattern described in the wider campaign where attackers focus on data stored in enterprise SaaS tools and internal communications for extortion value.

    The company has not publicly confirmed whether any user passwords, payment data, or government ID numbers were included, and it said it was still reviewing the impacted information to determine whether formal notifications are required under applicable law.

    Who Was Responsible (Confirmed Vs Alleged)

    Crunchbase has not publicly named a suspect or attributed the intrusion to a specific actor, and its statement framed the incident as activity from a threat actor that exfiltrated documents.

    ShinyHunters claimed responsibility and framed the incident as an extortion attempt, but public reporting has noted that independent verification of some group claims can be difficult in fast moving intrusion clusters that sometimes involve partner crews or impersonation. Google Threat Intelligence said it is tracking the activity under multiple threat clusters to account for evolving partnerships and the potential for impersonation within the ShinyHunters branded ecosystem.

    Penetration Testing by Bright Defense

    How The Attack Worked

    Public reporting did not describe a specific exploit used against Crunchbase, but the broader campaign has been closely associated with voice phishing aimed at employees, where attackers call targets while impersonating IT support and direct them to credential harvest sites that mimic company login portals. BleepingComputer described a flow where attackers capture credentials and MFA codes, then use a compromised single sign on account as a gateway into connected business platforms.

    Okta described phishing kits used in these voice enabled attacks that allow real time session control, letting the caller synchronize the victim’s browser experience with the attacker’s live login attempts, which can defeat MFA methods that rely on push approvals or one time passcodes rather than phishing resistant factors. Okta also described sequences that include reconnaissance, phone number spoofing, and browser flow control to elicit MFA approvals during a live call.

    Google Threat Intelligence said the activity primarily targets cloud based SaaS applications after initial access, with data theft aimed at extortion, and said the pattern did not depend on a vulnerability in the vendors’ products or infrastructure but on social engineering that defeats weaker authentication choices.

    Impact and Risks for Customers

    If the leaked Crunchbase materials include personal information and contracts as external analysts suggested, the immediate risk centers on targeted phishing, impersonation, and social engineering against individuals and businesses listed in the files, especially when attackers can pair contact data with company context to craft credible outreach. SecurityWeek reported the leaked set appeared to contain PII and corporate documents, which raises the likelihood of follow on fraud attempts even when financial data is not present.

    For enterprise users, the greatest practical risk often involves account takeover attempts and vendor payment fraud that uses legitimate internal terms, names, and contract references, which can raise the hit rate of business email compromise attempts. Google Threat Intelligence linked this wave to data theft from business platforms and internal communications, which is the type of material criminals use for extortion pressure and secondary scams.

    Company Response And Customer Remediation

    Crunchbase said it contained the incident, engaged cybersecurity experts, and contacted federal law enforcement, and it said it was reviewing the impacted information to decide whether notifications are required under applicable legal rules.

    As of the latest public reporting cited here, Crunchbase had not published a public remediation package such as credit monitoring terms, reimbursement, or customer specific notification language, and the company’s statement focused on investigation and legal assessment of notification obligations.

    Government, Law Enforcement, And Regulator Actions

    Crunchbase said it contacted federal law enforcement after detecting the incident, but it did not specify which agency or whether any investigation is active, and public reporting did not describe arrests or seizures connected to the Crunchbase case.

    Breach notification and regulator reporting can depend on the mix of data elements and the jurisdictions of affected people, and US state regimes often require notice when defined personal information is acquired by an unauthorized party. The California Attorney General publishes a list of sample notices submitted for breaches affecting more than 500 residents, and as of February 8, 2026, the list did not show an entry for Crunchbase.

    ShinyHunters framed the incident as an extortion attempt and SecurityWeek reported the group posted more than 400 MB of compressed files online after Crunchbase declined to pay, which can create reputational and customer trust costs even before any formal notice process is complete.

    Bloomberg reported that Crunchbase said documents on its corporate network were affected and the incident was contained, in the context of a wider set of intrusions hitting multiple consumer and business brands in the same period, a pattern that can push companies into accelerated identity security upgrades and increased incident response spending.

    Public reporting in late January 2026 focused on the incident disclosure, extortion posture, and campaign mechanics, and it did not report a filed class action, a regulatory penalty, or a settlement connected to Crunchbase at that time.

    What Remains Unclear About the Crunchbase Data Breach

    Crunchbase has not published the date of initial intrusion, the detection gap, or the dwell time, which are key facts for assessing how far the attacker moved across systems and how long data access may have persisted.

    The exact contents of the leaked dataset also remain disputed in public, including the specific data fields that qualify as regulated personal information, whether any customer credentials were involved, and whether the 2 million record figure represents unique individuals, unique rows, or a broader count of entries in multiple documents.

    Why This Incident Matters

    The Crunchbase incident fits a growing pattern where attackers aim at identity and authentication workflows rather than software vulnerabilities, then use a compromised employee session to reach high value cloud services that store sensitive business data. Google Threat Intelligence said the activity relies on vishing and credential harvesting to obtain single sign on access, and then uses those footholds to exfiltrate SaaS data for extortion.

    Okta’s documentation shows why voice based attacks can succeed even in organizations that use MFA, since attackers can guide victims through real time authentication and defeat MFA choices that lack phishing resistance, which shifts the defensive focus toward stronger factors and tighter controls on SaaS access paths.

    How Bright Defense Can Help Cut Exposure to Similar Attacks

    Bright Defense can help lower the odds of a ShinyHunters style incident through targeted penetration testing that focuses on the identity layer, SaaS access paths, and the real world routes attackers use after an employee session is compromised. A pen test can validate SSO configuration, MFA choices, conditional access rules, and admin role boundaries, while also testing how quickly defenders detect suspicious logins, new device registration, and high volume exports from connected platforms.

    Continuous compliance support can keep those controls in a known good state through recurring evidence capture, policy mapping, and drift detection across identity, endpoint, and cloud settings. Teams get practical remediation guidance that ties directly to common frameworks and audit expectations, plus a clearer record of what changed, when it changed, and why it mattered.

    general cybersecurity banner
    general cybersecurity banner

    Sources

    SecurityWeek — Crunchbase Confirms Data Breach After Hacking Claims (January 26, 2026)
    https://www.securityweek.com/crunchbase-confirms-data-breach-after-hacking-claims/

    Reuters — Bumble, Match, Panera Bread and CrunchBase Hit by Cyberattacks, Bloomberg News Reports (January 28, 2026)
    https://www.gmanetwork.com/news/scitech/technology/974603/bumble-match-panera-bread-and-crunchbase-hit-by-cyberattacks-bloomberg-news-reports/story/

    Bloomberg (republished by Insurance Journal) — Bumble, Panera Bread, CrunchBase, Match Hit by Cyberattacks (January 29, 2026)
    https://www.insurancejournal.com/news/national/2026/01/29/856100.htm

    BleepingComputer — ShinyHunters Claim Hacks of Okta, Microsoft SSO Accounts for Data Theft (January 23, 2026)
    https://www.bleepingcomputer.com/news/security/shinyhunters-claim-to-be-behind-sso-account-data-theft-attacks/

    Google Cloud Blog (Mandiant / Google Threat Intelligence) — Vishing for Access: Tracking the Expansion of ShinyHunters Branded SaaS Data Theft (January 31, 2026)
    https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft

    Okta Blog (Threat Intelligence) — Phishing Kits Adapt to the Script of Callers (January 22, 2026)
    https://www.okta.com/blog/threat-intelligence/phishing-kits-adapt-to-the-script-of-callers/

    SoundCloud — Protecting Our Users and Our Service (December 15, 2025, update January 13, 2026)
    https://soundcloud.com/playbook-articles/protecting-our-users-and-our-service

    State of California Department of Justice — Search Data Security Breaches (accessed February 8, 2026)
    https://oag.ca.gov/privacy/databreach/list

    Recent Posts

    ICE Data Breach

    DHS Data Leak Reveals 4k ICE Identities

    Top SOC 2 Type II Assessment Services

    Top SOC 2 Type II Assessment Services

    what is soc 2

    What Is SOC 2? A Definitive Guide

    Contact us

    Tamzid | Cybersecurity Writer

    Tamzid brings 5+ years of specialized writing experience across SaaS, cybersecurity, compliance, and blockchain. He’s skilled at simplifying complex concepts without losing depth. He follows the latest cybersecurity compliance updates and brings readers practical insights they can trust and keeps them ahead of the curve.

    Get In Touch

      Group 1298 (1)-min