David Brooks
The startup ecosystem's database is now in criminal hands
I won't sugarcoat it: Crunchbase has a catastrophic problem. The criminal group ShinyHunters has leaked over 2 million records stolen from the platform that the entire startup ecosystem relies on for investment decisions, sales intelligence, and due diligence.
We're talking about 400MB of compressed data that includes personally identifiable information (PII), signed contracts, corporate documents, and employee records. 320,973 people have their sensitive information exposed on the dark web as you read this.
My verdict is clear: this isn't just another data breach. It's a direct attack on the trust infrastructure of the startup world. Crunchbase isn't some random app; it's the tool investors, founders, and sales teams use to evaluate companies, close deals, and verify identities. If that data is compromised, the door is wide open for a wave of impersonation attacks that could paralyze venture capital operations for months.
And the worst part: ShinyHunters dumped everything because Crunchbase refused to pay the ransom. Sometimes the right decision comes with brutal consequences.
Who is ShinyHunters and why you need to know their name
The most prolific data hunters on the planet
ShinyHunters isn't a new or amateur outfit. Active since 2020, they took their name from Pokemon "shiny" hunters β players who obsessively chase rare, differently-colored creatures. The analogy is spot-on: these hackers pursue rare and valuable data with the same obsession.
The numbers speak for themselves:
| Victim | Records stolen | Year |
|---|---|---|
| AT&T | 110 million records | 2024 |
| Santander | 30 million customers | 2024 |
| Tokopedia | 91 million accounts | 2020 |
| Microsoft GitHub | 500GB of source code | 2020 |
| Grubhub | User and driver data | 2026 |
| SoundCloud | Artist and user data | 2026 |
| Betterment | Financial data | 2026 |
If you ask me directly, ShinyHunters is probably the most successful data theft group in history. They've compromised information from over one billion users across hundreds of companies. That's not hyperbole: one billion.
The cybercrime super-alliance
But here's where it gets even more interesting. ShinyHunters doesn't operate in isolation. They're part of a supergroup called SLSH, an alliance that includes:
- Scattered Spider: The group that brought down MGM Resorts and Caesars Entertainment, causing hundreds of millions in losses
- LAPSUS$: Responsible for breaches at Uber, Nvidia, Microsoft, and Rockstar Games
- ShinyHunters: The operators of BreachForums, the world's largest stolen data marketplace
This alliance combines each group's specialties: social engineering (Scattered Spider), initial access (LAPSUS$), and data monetization (ShinyHunters). Think of it as a criminal conglomerate with specialized departments.
And the internal drama is something else: in January 2026, a member known as "James" exposed the data of 323,000 BreachForums users β the very forum that ShinyHunters operates. When criminals turn on each other, nobody is safe.
How they got in: the dark art of vishing
The phone call that destroyed Crunchbase's security
The entry method wasn't a zero-day exploit or sophisticated malware. It was something far simpler and, frankly, far more terrifying: a phone call.
ShinyHunters used vishing (voice phishing) to compromise the Okta SSO credentials of a Crunchbase employee. Here's how the attack unfolded step by step:
Phase 1: Reconnaissance The attackers research their target employee. They find out which applications the company uses, who's on the IT team, what the internal support numbers are. LinkedIn, Glassdoor, and even job postings reveal any company's tech stack.
Phase 2: Setting the stage They create custom phishing pages that are pixel-perfect replicas of the company's login portal. These aren't generic pages β they're exact copies of the Okta portal complete with Crunchbase's logo and branding.
Phase 3: The call They phone the employee impersonating the IT team. They use spoofed phone numbers that display as the company's real support line. "Hi, this is the security team. We've detected suspicious activity on your account and need you to verify your credentials."
Phase 4: Real-time interception The employee navigates to the link they were given, enters their username, password, and MFA code. Everything is relayed in real time to the attackers via Telegram. Dynamic phishing kits let the attackers control what the victim sees on screen at every moment.
Phase 5: Full access With compromised Okta SSO credentials, the attackers gain access to EVERY connected enterprise application. Email, CRM, databases, cloud storage, internal tools. A single credential unlocks every door.
This exact method has been used against over 100 companies in the last 30 days. This isn't an isolated incident; it's an industrial-scale operation.
If you want to understand how other social engineering attacks are compromising tools you use daily, check out our analysis of Chrome extensions stealing AI conversations. The pattern is identical: the weakest link is always human.
What data was stolen and why it matters
The full damage inventory
Crunchbase confirmed the breach and revealed that the exposed data includes:
- Personally identifiable information (PII): Names, emails, phone numbers, addresses
- Signed contracts: Commercial agreements bearing real signatures
- Corporate documents: Strategic information from listed companies
- Employee records: Internal data about Crunchbase's own staff
- 320,973 individuals directly affected with sensitive information exposed
The 400MB of compressed data was publicly leaked after Crunchbase refused to pay ShinyHunters' ransom demand.
The domino effect across the startup ecosystem
This is where things get truly serious. Crunchbase isn't a social network or an online store. It's critical infrastructure for the innovation ecosystem:
For investors (VCs and angels):
- It's the primary tool for deal sourcing
- They use it to verify startup information before investing
- It contains data on funding rounds, valuations, and co-investors
For sales teams (B2B):
- It's the go-to prospecting database
- Contact details for decision-makers at thousands of companies
- Funding history that signals purchasing power
For founders:
- Their Crunchbase profile is their calling card for investors
- Data on previous rounds, co-founders, and key metrics
Now picture what an attacker can do with all of this:
- Investor impersonation: Sending emails from "Sequoia Capital" with real portfolio company data to deceive founders
- Targeted founder phishing: "Hi [real name], I saw you closed your [real amount] Series A. I'm interested in discussing the Series B..." β with real data, phishing success rates skyrocket
- Contract fraud: Using real signed contracts as templates to forge commercial agreements
- Corporate identity theft: Creating fake profiles of real companies for scams
I won't sugarcoat it: anyone whose information is in Crunchbase should assume they'll be targeted by social engineering attacks in the coming months. The article on the Nike breach by WorldLeaks shows just how quickly stolen data gets weaponized.
ShinyHunters in 2026: the machine doesn't stop
The Crunchbase attack isn't a one-off. ShinyHunters has maintained a blistering pace of attacks in January 2026:
| Target | Data type | Method |
|---|---|---|
| Crunchbase | PII, contracts, documents | Vishing + Okta |
| Grubhub | Customer and driver data | Compromised vendor |
| SoundCloud | Artist and user data | Undisclosed |
| Betterment | Personal financial data | Undisclosed |
On top of that, ShinyHunters operates BreachForums, the world's largest stolen data marketplace. It's as if the burglar also owned the pawn shop. They steal the data AND control the platform where it's sold. A vertically integrated criminal business model.
But the irony of the year: in January 2026, the member known as "James" exposed the BreachForums database containing 323,000 registered users. Names, emails, IPs, activity logs β belonging to the criminals themselves and their customers. The hunters became the hunted.
Crunchbase's response and legal fallout
The official confirmation
Crunchbase confirmed the breach and took the following steps:
- Hired cybersecurity experts to investigate the scope
- Notified federal authorities (FBI and relevant agencies)
- Refused to pay the ransom, which triggered the public leak of the data
If you ask me directly, not paying is the right call both ethically and strategically. The stats are unambiguous: 84% of companies that pay don't recover all their data, and 69% get hit again. Paying only funds more attacks.
But that doesn't erase the consequences.
Class-action lawsuits underway
At least two high-profile law firms are investigating legal action:
- Schubert Jonckheer & Kolbe: Specialists in privacy and securities class actions
- Edelson Lechtzin LLP: Known for data breach and consumer protection litigation
Both firms are actively seeking affected individuals to represent. If your data was in Crunchbase β and if you work in the startup ecosystem, it probably was β you could be part of a class-action lawsuit.
The AT&T legal precedent matters here: following ShinyHunters' 2024 breach that exposed 110 million records, AT&T faced regulatory fines and lawsuits exceeding $13 million in initial settlements alone.
How to protect yourself right now
If you have a Crunchbase account
Immediate actions you should take today:
1. Change all associated passwords Not just your Crunchbase password. Any service where you use the same email or a similar password. If you've been reusing passwords (and let's be honest, most people do), now is the time to stop.
2. Enable phishing-resistant authentication FIDO2/WebAuthn security keys (like YubiKey) are the only form of MFA that withstands real-time vishing and phishing attacks. SMS codes and authenticator apps can be intercepted using the kits ShinyHunters deploys.
3. Watch for suspicious communications Over the coming weeks, stay alert for:
- Emails from "investors" or "partners" who seem to know very specific details about you or your company
- Calls from "tech support" asking you to verify credentials
- Investment offers that sound too good to be true
- Any communication leveraging data that only Crunchbase would have
4. Place fraud alerts on your credit Contact the major credit bureaus (Equifax, Experian, TransUnion) to set up fraud alerts or credit freezes. It's free and protects you against fraudulent account openings.
5. Monitor for impersonation If you're a founder or executive, regularly search your name on Google to spot fake profiles using your real data.
For a comprehensive guide to protection tools, check out our article on the best cybersecurity tools in 2026.
If you run a company that uses Okta
The attack vector that compromised Crunchbase β vishing targeting Okta credentials β is an active threat against any organization using Single Sign-On:
Critical measures:
- Implement FIDO2 security keys as the mandatory MFA method
- Train your team specifically against vishing attacks (not just email phishing)
- Set up alerts for logins from unusual locations or devices
- Reduce access privileges: not everyone needs access to everything via SSO
- Implement out-of-band verification for IT support requests (a second communication channel)
The cybersecurity landscape in January 2026
A breach epidemic
Crunchbase isn't alone. January 2026 has been brutal for corporate security:
| Company | Attacker | Records affected |
|---|---|---|
| Crunchbase | ShinyHunters | 2+ million |
| Grubhub | ShinyHunters | Undisclosed |
| Nike | WorldLeaks | 188,347 files |
| BreachForums | Insider ("James") | 323,000 users |
The pattern is unmistakable: criminal groups are more organized, more sophisticated, and more productive than ever. And their preferred methods are no longer complex technical exploits. It's social engineering. Phone calls. Convincing emails. Identity impersonation.
The case of Trust Wallet and the Shai Hulud hack proves that no sector is immune: from fintech to startup databases, attackers go where the valuable data lives.
My verdict: the startup ecosystem's trust is on the line
After analyzing this case in depth, my conclusion is clear:
Crunchbase was right not to pay. The data shows that paying ransoms guarantees nothing and only funds more attacks. But the decision carries a cost: 320,973 people with their data exposed and a startup ecosystem that depends on this platform to function.
What truly concerns me isn't the breach itself. It's what comes next. Crunchbase data is pure gold for social engineering. When an attacker can email a founder saying "I saw you closed your $5M Series A with Sequoia last March" β using real data β the probability of a successful attack increases exponentially.
Three predictions:
- We'll see a wave of impersonation attacks over the next 3-6 months, using Crunchbase data to pose as investors, founders, and partners
- The class-action lawsuits will cost more than the ransom ShinyHunters demanded. The irony is brutal
- Okta SSO will become the most exploited attack vector of 2026, because a single credential unlocks every door in an organization
If you ask me directly: every company using Okta should implement FIDO2 today, not tomorrow. Vishing defeats traditional MFA codes. Only physical security keys are immune.
The era when a data breach simply meant "change your password" is over. Now it means someone can impersonate you with real data, real contracts, and real context. And that's far more dangerous than a leaked password.
The startup ecosystem built its trust infrastructure on platforms like Crunchbase. When that infrastructure is compromised, it's not just data that's stolen: it's trust. And rebuilding trust is infinitely harder than patching a server.
Frequently Asked Questions (FAQs)
What data exactly was stolen from Crunchbase?
ShinyHunters stole over 2 million records contained in 400MB of compressed data. The information includes personally identifiable information (PII) such as names, emails, and phone numbers, signed contracts with companies, internal corporate documents, and Crunchbase employee records. A total of 320,973 individuals have their sensitive information directly exposed.
How did ShinyHunters gain access to Crunchbase?
They used vishing (voice phishing) to steal Okta SSO credentials from an employee. The attackers called posing as the IT team, directed the employee to a fake login page, and intercepted the credentials and MFA code in real time. With SSO access, they were able to enter every connected enterprise application.
Did Crunchbase pay ShinyHunters' ransom?
No. Crunchbase refused to pay, which led ShinyHunters to publicly leak all the stolen data. The company confirmed the breach, hired cybersecurity experts, and notified federal authorities. While not paying is the recommended approach according to experts, the consequence is that the data is now publicly available.
Am I affected if I have a Crunchbase profile?
Potentially, yes. If you ever created an account, updated your professional profile, or your company appears on the platform, your data could be among the 2 million-plus stolen records. You should change your passwords, enable phishing-resistant MFA (FIDO2), watch for suspicious communications, and consider placing a fraud alert on your credit.
What is ShinyHunters and how many companies have they hacked?
ShinyHunters is a hacker group active since 2020, named after Pokemon shiny hunters. They've stolen data from over one billion users across hundreds of companies, including AT&T (110M records), Santander (30M customers), and Microsoft GitHub (500GB of source code). They operate BreachForums, the largest stolen data marketplace, and are part of the SLSH supergroup alongside Scattered Spider and LAPSUS$.
