TL;DR: Crunchbase, the platform investors and startups use to research companies, confirmed in late January 2026 that ShinyHunters exfiltrated documents from its corporate network. The attackers used voice phishing to steal Okta SSO credentials, grabbed over 2 million records including PII and signed contracts, demanded a ransom, and dumped 400MB of compressed data on their Tor site when Crunchbase refused to pay. If you have a Crunchbase account or your company's data lives on the platform, assume it's compromised.

What Happened

Sometime in December 2025, ShinyHunters ran their standard operation against Crunchbase: call an employee, pretend to be IT support, trick them into handing over Okta single sign-on credentials through a real-time phishing kit that walks the victim through login and MFA steps.

It worked. It always works.

On January 22, 2026, ShinyHunters listed Crunchbase on their relaunched Tor leak site alongside SoundCloud (29.8 million records) and Betterment (1.4 million records). On January 23, they published a 400MB compressed archive after Crunchbase refused to pay the ransom. By January 26, Crunchbase confirmed it: "A threat actor exfiltrated certain documents from our corporate network."

The company says no business operations were disrupted. They brought in outside cybersecurity experts, called the feds, and started reviewing what got taken.

What Got Taken

Alon Gal, CTO of threat intelligence firm Hudson Rock, reviewed the leaked archive and confirmed it contains sensitive personally identifiable information. Here's what's in the dump:

  • PII: names, email addresses, contact information
  • Signed corporate contracts
  • Internal business documents
  • Corporate data and financial details
  • Employee records

ShinyHunters claims the total haul exceeds 2 million records. The leaked archive is 402MB compressed, which means the uncompressed data is significantly larger.

Think about what Crunchbase actually stores. Founder contact details. Investor relationships. Funding round information. Due diligence documents. This isn't just another email-and-password dump. This is the connective tissue of the startup ecosystem.

How They Got In

Same playbook ShinyHunters have been running for a year now. The attack chain:

  1. Research the target: use data from previous breaches to identify employees with SSO access
  2. Call IT support, impersonate an employee needing credential help
  3. Direct the victim to a phishing page that mirrors the real Okta login portal
  4. Use a web-based control panel to manipulate what the victim sees in real time, walking them through login and multi-factor authentication
  5. Capture the credentials and session tokens
  6. Access everything connected through that SSO: email, internal tools, cloud storage, CRM

This isn't a zero-day exploit or a sophisticated malware campaign. It's a phone call. The most expensive penetration testing tools in the world can't protect you from someone who picks up the phone and says "Hi, this is IT."

The Ongoing ShinyHunters Rampage

Crunchbase is just one stop on ShinyHunters' 2025-2026 tour. The group has been systematically exploiting Okta SSO weaknesses across industries. Google Threat Intelligence flagged them targeting Salesforce instances as far back as June 2025.

The confirmed hit list now includes:

Universities, fintech, food delivery, credit bureaus, music streaming, and now startup intelligence. If your company uses Okta and hasn't hardened its vishing defenses, you're on the list. You just don't know it yet.

Why the Crunchbase Breach Is Different

Most breaches expose customer data: emails, passwords, maybe payment info. The Crunchbase breach exposes business relationships.

Crunchbase is where investors research startups, where sales teams find prospects, where reporters track funding rounds. The platform holds founder personal contact information, cap table structures, board member identities, and due diligence records. Signed contracts from the corporate network could reveal deal terms, partnerships, and financial arrangements companies assumed were private.

For attackers, this data is a roadmap for targeted spear-phishing. Know who just raised a Series B? Send the CEO a fake wire transfer request referencing the exact amount. Know the lead investor? Impersonate them. This is precision-targeted social engineering fuel, not bulk credential stuffing material.

If You're on Crunchbase

Assume Your Contact Info Is Out

If you have a Crunchbase profile (as a founder, investor, or employee at a listed company) treat your listed contact information as compromised. Watch for targeted phishing referencing your company or funding status.

Audit Your Crunchbase Profile

Remove any personal contact details you don't need publicly listed. Strip phone numbers, personal emails, and home addresses. Less data in the database means less data in the dump.

Watch for Investment Scams

Attackers now know your company's funding stage, investors, and business relationships. Expect convincing emails impersonating known investors or partners referencing real deal terms.

Harden SSO with Hardware Keys

If your company uses Okta, Microsoft Entra, or Google SSO, deploy FIDO2 hardware security keys for all admin accounts. Push notifications and SMS codes are exactly what ShinyHunters exploit.

Crunchbase's Response

Crunchbase said the incident was "contained" and systems are "secure." They engaged external cybersecurity experts, contacted federal law enforcement, and said they're reviewing impacted data to determine notification requirements under applicable law.

Translation: they're figuring out how many people they need to notify and what privacy laws apply. Law firm Schubert Jonckheer & Kolbe has already opened a class action investigation.

Crunchbase hasn't publicly detailed which specific user data was compromised or how many individual users are affected. The 2-million-record claim comes from ShinyHunters. Until Crunchbase says otherwise, that's the number.

The Bigger Picture

ShinyHunters have turned voice phishing into an industrial operation. They don't write malware. They don't exploit software vulnerabilities. They call people on the phone and ask nicely for credentials. And it keeps working: at Harvard, at Betterment, at SoundCloud, and now at Crunchbase.

Every company that uses Okta, Microsoft Entra, or Google SSO with push-notification MFA is one convincing phone call away from this exact outcome. Crunchbase stored the business intelligence of an entire industry. Now a chunk of it sits on a Tor site for anyone to download.

The fix is known. Hardware security keys for SSO access. Vishing awareness training that actually tests employees. Separate admin credentials for sensitive systems. None of this is new advice. But apparently it still needs repeating.

References

  1. Security Affairs - ShinyHunters claims 2 Million Crunchbase records; company confirms breach (January 2026)
  2. UpGuard - Crunchbase Suffers Breach According to Dark Web Reports (January 24, 2026)
  3. Tech Startups - Crunchbase Hacked: Company confirms January 2026 data breach (January 26, 2026)
  4. Cybersecurity Insiders - Crunchbase hacked and data breach confirmed by ShinyHunters (January 2026)
  5. Hackread - ShinyHunters Leak Alleged Data of Millions From SoundCloud, Crunchbase and Betterment (January 2026)
  6. Schubert Jonckheer & Kolbe LLP - Crunchbase Data Breach Investigation (2026)