Crunchbase Suffers Breach According to Dark Web Reports

Key facts: Crunchbase data breach

• Date reported: January 24, 2026 (confirmed January 26, 2026).
• Threat actor: ShinyHunters (attributed to the "Scattered LAPSUS$ Hunters" collective).
• Records exposed: Over 2 million records.
• Data volume: Approximately 402MB of compressed files.
• Data types: Personally Identifiable Information (PII), signed corporate contracts, internal documents, and corporate data.
• Attack method: Voice phishing (vishing) targeting Okta single sign-on (SSO) credentials to bypass multi-factor authentication.
• Status: Data was leaked on a Tor-based site after a failed ransom extortion attempt.

What happened in the Crunchbase data breach?

Crunchbase (crunchbase.com) was the subject of a security incident reported on January 24, 2026, and officially confirmed by the company on January 26. The incident was part of a larger campaign by the notorious cybercrime group ShinyHunters, which also targeted other major platforms like SoundCloud and Betterment.

The hackers reportedly gained initial access to Crunchbase’s corporate network through a sophisticated social engineering attack known as voice phishing. By impersonating IT support, the attackers tricked employees into providing their Okta SSO credentials via a real-time phishing kit, allowing the group to bypass standard security controls. Once inside, they exfiltrated approximately 400MB of sensitive data. After Crunchbase refused to pay a ransom demand, ShinyHunters published the stolen archives on their data leak site.

Who is behind the incident?

The threat actor group ShinyHunters has claimed responsibility for this incident. Operating as the public-facing entity for a collective known as Scattered LAPSUS$ Hunters, this group is infamous for targeting high-value technology and financial organizations. Their recent 2026 campaign has focused on identity-based attacks, leveraging custom phishing kits and voice-based social engineering to compromise organizations that use centralized identity providers like Okta, Microsoft Entra, and Google.

Impact and risks for Crunchbase customers

The exposure of over 2 million records poses several risks to Crunchbase users and corporate partners. The stolen data includes personally identifiable information (PII) such as names and email addresses, as well as highly sensitive corporate documents and signed contracts.

Typical outcomes of such data exposures include targeted phishing and business email compromise (BEC). Because the leak includes internal business details and contracts, malicious actors could craft extremely convincing fraudulent communications to target Crunchbase’s partners or employees. While Crunchbase stated that business operations were not disrupted, the public availability of these documents necessitates long-term vigilance regarding corporate identity and data privacy.

Frequently asked questions

What happened in the Crunchbase security breach?

In January 2026, the ShinyHunters group breached Crunchbase (crunchbase.com) by using voice phishing to steal employee SSO credentials. After the company refused to pay an extortion demand, the hackers leaked a 400MB archive containing over 2 million records, including internal contracts and personal user data.

When did the Crunchbase breach occur?

While the data leak was publicly identified on January 24, 2026, the intrusion is believed to be part of a broader social engineering campaign that targeted Okta environments throughout December 2025 and early January 2026.

What data was exposed?

The types of data involved in the Crunchbase incident include names, email addresses, and other personal identifiers. Crucially, the leak also contained sensitive corporate information, such as signed business contracts and internal documents exfiltrated from the company’s corporate network.

Is my personal information at risk?

If you have a Crunchbase account or your company has entered into contracts with the platform, your data may have been included in the leak. Given the nature of the stolen documents, there is a risk of highly targeted phishing. You should remain vigilant and watch for official notifications from Crunchbase regarding your specific data status.

How can I protect myself after the Crunchbase data breach?

• Update your Crunchbase password and any other accounts that share the same credentials.
• Enable multi-factor authentication (MFA) on all sensitive accounts, preferably using phishing-resistant methods like hardware keys.
• Monitor your bank statements and credit reports for any unauthorized transactions.
• Be cautious of unsolicited emails or phone calls, especially those appearing to come from IT support or corporate partners.
• Use a data breach monitoring service to track potential exposures of your information.

What steps should companies take after being impacted by the Crunchbase data breach?

Organizations should respond by securing their systems, rotating compromised credentials, and notifying affected individuals as required by law. Crunchbase has engaged cybersecurity experts and federal law enforcement to investigate the scope of the exfiltration. If the breach is proven to be of more significant severity, the company should release a statement with recommended response actions.