Crunchbase Data Breach 2026: How ShinyHunters' Vishing Attack Exposed 2 Million Records
Photo by Steve A Johnson on Unsplash
- ShinyHunters used vishing (voice phishing — fraudulent phone calls impersonating IT support) to steal SSO credentials and MFA codes from Crunchbase employees in late December 2025, exfiltrating over 2 million records and leaking a 400MB archive after Crunchbase refused to pay the ransom.
- Exposed data includes full names, contact information, addresses, job data, and internal contracts between Crunchbase and its partner firms — details that enable follow-on attacks against partner organizations and clients.
- The same coordinated campaign hit SoundCloud (approximately 28 million user records) and Betterment (20+ million records), with the full scope publicly disclosed on January 26, 2026 — part of a ShinyHunters operation that successfully breached over 400 companies.
- Standard MFA was bypassed through social engineering alone, making phishing-resistant hardware security keys and dedicated security awareness training your most critical immediate defenses.
What Happened
In late December 2025, ShinyHunters — a prolific cybercriminal group active since approximately 2019–2020 — breached Crunchbase, the widely used business information and startup data platform. The attack required no sophisticated software exploit. Instead, attackers used vishing (voice phishing — phone calls in which criminals impersonate trusted parties like internal IT support staff) to deceive Crunchbase employees into surrendering their Single Sign-On (SSO) credentials and Multi-Factor Authentication (MFA) codes. By convincingly posing as IT support, the attackers bypassed layers of technical security without breaking a single line of code.
Once inside, the attackers exfiltrated over 2 million records along with a 400MB archive of sensitive data, including full names, contact information, addresses, job data, and internal contracts between Crunchbase and its partner firms. When Crunchbase declined to pay the extortion demand, ShinyHunters publicly released the stolen archive. Crunchbase officially confirmed the cybersecurity incident in January 2026, acknowledging that a threat actor had exfiltrated certain documents from its corporate network while stating that business operations were not disrupted.
The breach was not isolated. It was part of a coordinated ShinyHunters campaign targeting at least three major organizations simultaneously. SoundCloud confirmed a December 2025 breach tied to the same operation, with approximately 28 million user profiles' email addresses and public data exposed. Betterment, the investment platform, detected unauthorized access on January 9, 2026, with over 20 million records potentially at risk. The full scope of the campaign was publicly disclosed on January 26, 2026.
Photo by Markus Winkler on Unsplash
Why It Matters for Your Organization's Security
This breach is more than a single company's misfortune — it signals a deliberate escalation in how sophisticated threat actors gain access to corporate environments, with direct implications for your data protection strategy and security posture.
ShinyHunters has been responsible for breaches at over 60 companies, including Ticketmaster (560 million records, 2024) and AT&T (70 million records, acknowledged 2024). Despite French authorities arresting four ShinyHunters members in June 2025, the group continues to operate and claim new victims. Their pivot to vishing-based SSO compromise in late 2025 marks a critical shift — moving from technically exploited software vulnerabilities to human-layer social engineering that bypasses traditional perimeter defenses entirely. Firewall hardening and software patching are necessary, but they provide no defense when the attacker's entry point is a phone call to your help desk.
The scale of this operation demands attention. ShinyHunters' broader Okta SSO vishing campaign targeted over 100 organizations and successfully breached more than 400 companies by impersonating IT support staff. As Mandiant (Google Cloud) observed, the group's operations "primarily leverage sophisticated voice phishing (vishing) and victim-branded credential harvesting sites to gain initial access to corporate environments by obtaining SSO credentials and MFA codes, then target cloud-based SaaS applications to exfiltrate sensitive data for use in subsequent extortion demands." This is a repeatable, scalable playbook — and organizations in your industry sector may already be on their list.
The data protection consequences extend well beyond Crunchbase's own network. The exposed data includes internal contracts and detailed business profiles — exactly the kind of threat intelligence that criminal actors weaponize in follow-on spear-phishing attacks (highly targeted emails that use personal details to appear legitimate) against partner firms, investors, and clients listed in those records. If your organization had any data relationship with Crunchbase, your information may be in that 400MB publicly leaked archive.
EclecticIQ researchers described ShinyHunters' model as "financially motivated data extortion targeting enterprise cloud applications, with a consistent 'pay or leak' strategy that has proven effective across dozens of major organizations since 2020." Understanding this pattern is itself actionable threat intelligence — and it should reshape how you approach incident response planning. The question is not whether vishing campaigns will target organizations like yours, but whether your employees will recognize and report them when they do.
For small and mid-sized businesses, the lesson is direct: if standard MFA can be socially engineered away from organizations at the scale of Crunchbase, SoundCloud, and Betterment, it can happen to your team too. Embedding security awareness into your organizational culture is no longer optional — it is your highest-ROI first line of defense.
Photo by Sharad Bhat on Unsplash
The AI Angle
The shift toward human-layer attacks that the Crunchbase breach represents is precisely why AI-powered security tools have moved from "nice to have" to essential — and understanding what they can and cannot do helps you invest wisely.
Traditional security systems detect known attack signatures. A vishing attack that produces a legitimate SSO login event using a real employee's stolen credentials generates no obvious technical alarm. This is where AI-driven behavioral analytics (systems that learn what "normal" activity looks like and automatically flag deviations) become critical. Tools like Darktrace and CrowdStrike Falcon use machine learning to identify anomalous access patterns — an employee downloading thousands of files at an unusual hour, logging in from an unfamiliar location, or accessing systems outside their normal role — even when the credentials used are technically valid. These tools surface the threat intelligence signal that human operators and legacy firewalls miss entirely.
From a data protection standpoint, platforms such as Recorded Future and Mandiant Advantage track ShinyHunters infrastructure and credential-harvesting domains in near real time. Integrating these feeds into your security stack can alert your team that a vishing campaign is actively targeting your sector before any call reaches your help desk. AI-assisted anomaly detection paired with real-time threat intelligence monitoring now represents the baseline for mature security awareness programs — not an advanced capability reserved for enterprise teams.
What Should You Do? 3 Action Steps
Standard SMS-based or authenticator-app MFA codes can be verbally surrendered in seconds during a vishing call. The proven solution is FIDO2/WebAuthn hardware security keys (physical devices like YubiKey that require the employee to physically tap the key to complete authentication — something that cannot be done over the phone). Mandate phishing-resistant MFA for all employees with access to SSO systems, cloud platforms, and sensitive business data. This single control would have blocked the Crunchbase attack vector. Audit your identity provider — whether Okta, Microsoft Entra ID, or Google Workspace — to confirm phishing-resistant authentication policies are actively enforced across all user accounts, not merely available as an option.
Your employees are your most targeted asset in a vishing campaign. Implement regular vishing simulation exercises — controlled test calls where your security team or a third-party vendor phones employees posing as IT support and attempts to extract credentials or MFA codes. Track who complies and use the results to drive targeted retraining. Establish and enforce a clear written policy: your IT team will never call employees to request passwords, MFA codes, or login credentials under any circumstances. Have employees sign this policy and refresh training at least quarterly. Knowing this rule exists dramatically reduces susceptibility — it is among the most impactful cybersecurity best practices any organization can implement right now, at minimal cost.
Adopt a zero-trust architecture (a security model in which no user or device is trusted by default, even inside the corporate network — every access request is continuously verified). Enforce least-privilege access (each user can reach only the systems and data their role requires) and deploy User and Entity Behavior Analytics (UEBA) tools to flag unusual data access or bulk download patterns automatically. Equally important: establish a formal incident response plan that includes a clear procedure for suspected vishing attempts. Employees need to know exactly who to contact, what to document, and what actions to take the moment something feels wrong. Effective incident response planning is the difference between a contained security event and a 400MB public data leak.
Frequently Asked Questions
How do I protect my business from vishing attacks that steal SSO credentials and bypass MFA?
The most effective defense is deploying phishing-resistant MFA such as FIDO2 hardware security keys (like YubiKey), which require physical possession and cannot be surrendered verbally during a phone call. Combine this with a strict documented policy that IT will never request credentials over the phone, and run regular vishing simulation drills as part of your ongoing security awareness program. Also review your SSO provider's anomalous login alerts and ensure behavioral monitoring is active for all privileged accounts. These cybersecurity best practices directly address the human vulnerability that vishing exploits — and they are effective regardless of your organization's size or security budget.
What steps should my company take if our data may have been exposed in the Crunchbase ShinyHunters breach?
If your organization had a business relationship with Crunchbase — as a customer, partner, or vendor — treat potential data exposure as likely given the scope of the leaked archive. Activate your incident response plan immediately: notify potentially affected employees and partners, audit system access logs from December 2025 through January 2026 for suspicious activity, reset credentials for any accounts sharing passwords with Crunchbase-connected systems, and engage a qualified cybersecurity professional for a formal breach assessment. Data protection regulations such as GDPR or CCPA may require notifying regulatory bodies and affected individuals within defined timeframes if personal data was involved. Speed is critical — the faster you contain and assess, the better your outcomes.
How can small businesses implement MFA that actually resists social engineering without a large security budget?
Small businesses can deploy FIDO2/WebAuthn hardware security keys at roughly $25–$50 per user — a one-time cost that provides far stronger data protection than free SMS-based MFA. Ensure your cloud identity provider supports and enforces phishing-resistant authentication policies across all user accounts. Pair hardware keys with free security awareness training resources — CISA (the U.S. Cybersecurity and Infrastructure Security Agency) offers publicly available vishing awareness guides and training materials at no cost. Combining hardware-based MFA with employees trained to recognize and report social engineering attempts is the highest-ROI security investment a small business can make in the current threat environment, and it directly addresses the attack vector used in the Crunchbase breach.
What is the difference between phishing and vishing, and why is vishing so much harder to stop with traditional security tools?
Phishing uses deceptive emails or fake websites to steal credentials. Vishing (voice phishing) uses live phone calls — attackers call victims directly while impersonating IT support, financial institutions, or government agencies. Vishing is harder to defend against because humans naturally extend trust to real-time voice conversations and feel social pressure to comply with authority figures, especially when callers demonstrate knowledge of internal systems or personnel (often gathered from prior breach data). Email phishing leaves a digital trail and can be filtered by spam and anti-phishing tools; a phone call bypasses all of those controls entirely and exploits human psychology rather than software vulnerabilities. This is why security awareness training specifically targeting vishing — combined with phishing-resistant MFA — is now a foundational cybersecurity best practice, not an advanced program element.
How do I find out if my organization's data appeared in a ShinyHunters breach, and what threat intelligence tools can help?
Start with free breach notification services: Have I Been Pwned (haveibeenpwned.com) allows you to check whether organizational email addresses appear in known leaked datasets, including those associated with ShinyHunters. For deeper organizational exposure monitoring, commercial threat intelligence platforms such as Recorded Future, Mandiant Advantage, and Flashpoint actively track ShinyHunters' dark web leak posts and can alert your security team when your domain or employee data surfaces in a new dataset. If your company had any relationship with Crunchbase, SoundCloud, or Betterment — all confirmed victims of the December 2025 vishing campaign — initiate a proactive incident response review rather than waiting for confirmation. An MSSP (Managed Security Service Provider — a company that manages your security tools and monitoring on your behalf) can provide continuous dark web monitoring as part of a managed threat intelligence service, making enterprise-grade coverage accessible to organizations of any size.
Disclaimer: This article is for informational purposes only and does not constitute professional security consulting advice. Always consult with a qualified cybersecurity professional for your specific needs.
No comments:
Post a Comment