What You Need to Know about the Crunchbase Data Breach

Crunchbase is a leading market intelligence platform that provides comprehensive data on private and public companies worldwide. Founded in 2007 and headquartered in San Francisco, California, the company serves over 80 million users, including investors, sales professionals, entrepreneurs, and business analysts. The platform combines live company data, artificial intelligence, and market activity to deliver predictive insights about funding rounds, acquisitions, leadership changes, and market trends across millions of companies.

In late January 2026, Crunchbase confirmed a significant data breach after the notorious cybercrime group ShinyHunters published stolen data on its dark web leak site. The breach reportedly exposed over 2 million records contained in approximately 400 megabytes of compressed files. According to security researcher Alon Gal, Chief Technology Officer of threat intelligence company Hudson Rock, the leaked data includes personally identifiable information (PII), signed contracts, internal corporate documents, and executive contact details.

The breach appears to be part of a broader social engineering campaign that targeted multiple technology companies in late 2025 and early 2026, including music platform SoundCloud and investment firm Betterment. Security experts believe the attackers used voice phishing (vishing) techniques to trick Crunchbase employees into providing their Okta single sign-on (SSO) credentials, allowing unauthorized access to the company's corporate network.

Crunchbase has stated that business operations were not disrupted by the incident and that the company's systems are now secure. The organization immediately engaged cybersecurity experts and contacted federal law enforcement upon detecting the breach.

When Was the Crunchbase Data Breach?

The Crunchbase data breach is believed to have occurred in December 2025 as part of a coordinated social engineering campaign targeting companies using identity providers like Okta, Microsoft Entra, and Google. However, the breach became publicly known on January 23, 2026, when ShinyHunters posted the stolen data on its dark web leak site after Crunchbase reportedly refused to pay the group's ransom demand.

Crunchbase confirmed the incident on January 26, 2026, stating that a threat actor had exfiltrated certain documents from its corporate network. According to forensic analysis by threat intelligence firms, the attackers allegedly called Crunchbase support or IT staff, impersonating internal employees to bypass security protocols and obtain SSO credentials. Once inside the network, they accessed and downloaded sensitive files before Crunchbase detected the unauthorized activity.

The timing of the breach coincides with a wider wave of attacks by ShinyHunters targeting organizations with centralized authentication systems. SoundCloud disclosed that roughly 20% of its users' email addresses and public profile data were accessed, while Betterment acknowledged that threat actors used social engineering tactics to penetrate its systems and send scam messages to customers.

ShinyHunters, which first emerged around 2020, has built a reputation for large-scale data theft followed by public leaks or sales of stolen information when extortion demands are not met. The group has been linked to breaches involving major organizations, including a compromise of a Salesforce customer management system that prompted Google to urge billions of users to strengthen their account security.

How to Check If Your Data Was Breached

As of early February 2026, Crunchbase is reviewing the compromised information to determine if any individual notifications are required under applicable legal requirements. If your data was exposed in the breach and you are affiliated with Crunchbase as a user, customer, partner, or employee, you may receive a formal notification letter once the company completes its assessment.

However, there are several ways you can proactively check if your information may have been compromised:

Search your email address or phone number on reliable data breach-check websites such as Have I Been Pwned or similar services. These platforms scan known data leaks and can reveal if your information appears in the Crunchbase breach or other incidents.

Monitor your email for unusual activity. If you suddenly receive a high volume of targeted phishing emails, especially those referencing Crunchbase, business deals, or investment opportunities, your contact information may have been exposed.

Review your financial accounts and credit reports for unauthorized activity. Since the breach included contracts and business documents, criminals could use exposed information to craft convincing business email compromise (BEC) attacks or fraudulent transactions.

Check for suspicious login attempts on your online accounts. If you receive unexpected password reset notifications, see logins from unfamiliar locations, or notice changed account settings, your credentials may have been compromised.

Continue to monitor Crunchbase's official website and communications channels for updates regarding the breach. The company has stated it will provide notifications as warranted by its ongoing investigation.

What to Do If Your Data Was Breached

If you believe your information was exposed in the Crunchbase data breach, taking immediate protective steps can help minimize potential damage:

• Be extremely cautious of business-related phishing attempts. This is because the leaked data includes internal contracts, signed documents, and executive contact information, cybercriminals can craft highly convincing fraudulent communications. Verify the identity of anyone contacting you about business deals, partnerships, or investment opportunities using alternative communication channels before responding or sharing additional information.
• Enable two-factor authentication (2FA) on all your online accounts where possible, especially those related to business, email, and financial services. Consider using FIDO2-compliant hardware keys, phones, or laptops as your second factor, as some forms of 2FA can be compromised through sophisticated phishing techniques.
• Update your passwords immediately, particularly if you use the same credentials across multiple accounts. It is recommended that you create strong, unique passwords for each account that are at least 12 to 15 characters long and combine uppercase and lowercase letters, numbers, and special symbols.
• Monitor your credit reports and financial statements closely for signs of unauthorized activity. Look for unfamiliar inquiries, new accounts you did not open, or suspicious transactions. You can request free credit reports from the three major credit bureaus, Equifax, Experian, and TransUnion, and consider placing a fraud alert or credit freeze on your credit file.
• Consider enrolling in an identity monitoring service that can alert you if your personal or business information appears on the dark web or is being traded illegally. These services provide ongoing surveillance and can help you respond quickly to identity theft attempts.
• Report suspicious activity immediately. If you discover fraudulent charges, unauthorized accounts, or other signs that your information is being misused, contact your financial institutions, report the incident to the Federal Trade Commission (FTC), and file a report with your local law enforcement agency.

You should continue to check Crunchbase's official communications for updates and guidance specific to this incident. The company may provide additional resources or recommendations as its investigation progresses.

Are There Any Lawsuits Because of the Data Breach?

Yes. Several law firms have announced investigations into potential class-action lawsuits against Crunchbase following the January 2026 data breach. On January 26, 2026, San Francisco-based law firm Schubert Jonckheer & Kolbe LLP publicly announced it is investigating the breach, citing concerns about unauthorized access to sensitive information belonging to individuals affiliated with the market intelligence firm.

The law firm's investigation focuses on whether Crunchbase failed to implement adequate cybersecurity measures to protect personally identifiable information (PII), contracts, and corporate data in its possession. Attorneys are examining whether affected individuals may be entitled to monetary damages and injunctive relief requiring changes to the company's data security practices.

Other law firms have also begun reaching out to potentially affected individuals, indicating that multiple legal actions may be filed in the coming weeks and months. 

The outcome of any litigation will likely depend on the scope of the data exposed, the number of individuals affected, and whether Crunchbase can demonstrate it maintained reasonable security measures prior to the breach.

Given that the leaked files reportedly include signed contracts and proprietary business information, some legal experts suggest that affected companies could face additional risks beyond individual privacy violations. If confidential deal terms, trade secrets, or competitive intelligence were exposed, businesses may pursue separate legal claims for financial losses resulting from the breach.

Can My Crunchbase Information Be Used for Identity Theft?

Yes. The information exposed in the Crunchbase data breach poses significant risks for various forms of identity theft and fraud. The leaked data reportedly includes personally identifiable information, signed contracts, executive contact details, and internal corporate documents, all of which can be weaponized by cybercriminals in multiple ways.

With access to your name, email address, and business contact information, criminals can create highly targeted phishing campaigns and business email compromise (BEC) attacks. Because the breach includes legitimate contracts and business documents, attackers can craft extremely convincing fraudulent communications that appear to come from trusted partners, investors, or colleagues. They may impersonate executives, request fraudulent wire transfers, or trick recipients into revealing additional sensitive information.

Exposed executive and employee contact information can be used to launch sophisticated social engineering attacks against companies. Criminals may use details about business relationships, funding rounds, or partnerships gleaned from leaked documents to gain credibility and manipulate targets into providing access to corporate systems, financial accounts, or confidential data.

If the breach exposed financial information or payment details contained in contracts, criminals could attempt to make unauthorized charges, open fraudulent accounts, or commit financial fraud in your name. Even partial payment information, when combined with other personal details, can be valuable for identity thieves.

The leaked business intelligence and corporate documents may also be sold on the dark web to competitors, rival firms, or other malicious actors. Proprietary information about funding strategies, investment decisions, or business plans could be exploited for competitive advantage or used to undermine business relationships.

For individuals whose Social Security numbers, dates of birth, or other sensitive identifiers were included in contracts or documents, criminals could use this information to file fraudulent tax returns. They can also use the information to apply for credit, open bank accounts, or commit other traditional forms of identity theft.

What Can You Do to Protect Yourself Online?

The Crunchbase data breach highlights the persistent cybersecurity risks facing both individuals and businesses in today's digital landscape. Beyond responding to this specific incident, implementing strong ongoing security practices can help protect your personal and professional information:

• Be skeptical of unsolicited communications, especially those requesting sensitive information or urgent action. Cybercriminals often exploit recent data breaches by sending phishing emails or making vishing calls that reference the incident to establish credibility. Always verify requests through independent channels before responding, even if they appear to come from legitimate sources.
• Use unique, complex passwords for every online account. Password managers can help you generate and store strong passwords without having to remember each one. Avoid including personal information such as your name, birthday, or company name in your passwords.
• Enable multi-factor authentication (MFA) wherever possible, particularly on accounts containing sensitive business or financial information. Even if criminals obtain your password through a data breach, MFA provides an additional barrier to unauthorized access.
• Limit the personal and business information you share online and on professional networking sites. The more information available about you publicly, the easier it becomes for criminals to craft convincing phishing attacks or social engineering schemes.
• Regularly review your privacy settings on professional platforms, social media, and business tools. Restrict who can see your contact information, connection lists, and activity details.
• Be cautious when using public Wi-Fi networks for business communications or financial transactions. If you must use public networks, employ a virtual private network (VPN) to encrypt your connection and protect sensitive data from interception.
• Keep your devices, software, and applications updated with the latest security patches. Enable automatic updates whenever possible to ensure you receive critical security fixes promptly.
• Regularly back up important business documents and personal files to secure, encrypted storage. In the event of a ransomware attack or data loss, having recent backups ensures you can recover without paying extortion demands.
• Educate yourself and your team about current cyber threats, including vishing, social engineering, and business email compromise tactics. Many successful attacks rely on human error rather than technical vulnerabilities.
• Consider conducting regular security audits of your business practices, particularly if you handle sensitive client information or proprietary data. Ensure that your organization has clear protocols for verifying unusual requests, especially those involving financial transactions or access to confidential information.