Market intelligence firm Crunchbase has confirmed that it suffered a data breach in January 2026, after a notorious cybercrime group published files it claims were stolen from the company’s systems. The breach was disclosed following public claims and the release of leaked files by the hacker collective known as ShinyHunters.
According to Security Week, the cybercriminal group ShinyHunters posted a compressed archive of roughly 400 MB of data on its website after extortion attempts failed. The group says the files contain more than 2 million records taken from Crunchbase’s internal systems.
Crunchbase confirmed that the threat actor accessed and exfiltrated certain documents from their corporate network. However, they assured the public that the company's systems are now secure and confirmed that no business operations were disrupted by the incident.
Security researcher Alon Gal, who examined portions of the leaked files, says they include personally identifiable information (PII) alongside corporate data, such as signed contracts and internal documents. The severity of the breach raises concerns for individuals and businesses whose information may have been exposed.
Cybersecurity experts are also investigating whether this incident is connected to a broader campaign by ShinyHunters that reportedly targeted other tech companies, including music platform SoundCloud and investment firm Betterment. Those companies have also reported security incidents tied to the same group.
Some analysts suggest that the group may have used voice-phishing (vishing) and social engineering techniques to gain access to systems protected by single sign-on (SSO) services, although specific details about the attack method against Crunchbase have not been publicly confirmed.
Crunchbase told Security Week that they “detected a cybersecurity incident where a threat actor exfiltrated certain documents from our corporate network.” They note that business operations were not disrupted by the incident. “Upon detecting the incident we engaged cybersecurity experts to assist us and we contacted federal law enforcement,” the company added. “Crunchbase is aware that the threat actor posted certain information online. As part of our incident response procedures, we are reviewing the impacted information to determine if any notifications are required consistent with applicable legal requirements,” they said.
According to Yahoo, ShinyHunters is a cybercrime group that first came to prominence in 2020 and has since become known for targeting large companies and stealing data. The group has been linked to breaches involving major organizations, including Google, after a compromise of a Salesforce customer-management system that led Google to urge billions of users to tighten their account security.
Rather than breaking into systems through technical vulnerabilities alone, ShinyHunters are increasingly using social engineering, especially vishing, to trick employees into revealing sensitive credentials or authentication codes. This method involves impersonating internal support staff to gain access to protected systems, a tactic that has grown harder to detect with the rise of tools like deepfakes.
Since their discovery, ShinyHunters claims to have attacked dozens of victims and, in some cases, publicly leaked or sold stolen data. Their activities have involved not just data theft for profit but also reputational damage to organizations that refuse to pay ransoms, marking them as one of the more prominent extortion-focused hacking groups in recent years.
As the Security Week article notes, the hacker group’s leak site lists other organizations that were breached around the same time, including SoundCloud and the investment firm Betterment. In SoundCloud’s case, roughly 20% of users’ email addresses and public profile data were accessed, while Betterment acknowledged that threat actors penetrated its systems through social engineering tactics and used that access to send scam messages to customers.
The involvement of multiple companies indicates that this is a systemic cybersecurity issue, not an isolated incident, and one that affects users, businesses, and regulators alike.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Exposed information could be used for phishing attacks, scams, identity theft, or account takeover attempts, especially if email addresses or profile details were accessed.
Public leaks increase pressure on victims to pay ransomware and help attackers build credibility within cybercrime communities, making future extortion attempts more effective.
Yes. If personal data was exposed, regulators may investigate whether organisations met their obligations under applicable privacy and data-protection laws.