Business intelligence platform Crunchbase confirmed a data breach on January 26, 2026, after the ShinyHunters threat group published over 2 million stolen records. ShinyHunters gained access by voice-phishing Okta single sign-on credentials—part of a broader campaign targeting approximately 100 organizations.
Breach overview
| Attribute | Details |
|---|---|
| Victim | Crunchbase, Inc. |
| Attacker | ShinyHunters |
| Attack method | Okta voice phishing (vishing) |
| Records exposed | 2 million+ |
| Data leaked | ~400 MB compressed |
| Leak date | January 23, 2026 |
| Ransom demanded | Yes (refused) |
The attack technique
ShinyHunters used a sophisticated combination of voice phishing (vishing) and real-time phishing kits to bypass multi-factor authentication:
Attack flow
1. Attacker calls target employee
↓
2. Impersonates IT support ("urgent security issue")
↓
3. Directs victim to fake Okta login page
↓
4. Victim enters credentials + MFA code
↓
5. Phishing kit captures in real-time
↓
6. Attacker replays credentials immediately
↓
7. Access granted before MFA token expiresWhy it defeats MFA
| Traditional MFA Assumption | Reality in This Attack |
|---|---|
| Attacker can’t use stolen codes | Codes replayed in real-time |
| User would notice fake site | Pixel-perfect Okta clone |
| IT support calls are verified | Social engineering bypasses verification |
| Time-based codes expire quickly | Attacker authenticates within seconds |
This technique defeats standard MFA because the attacker is authenticating in real-time as the victim enters their codes.
Phishing kit capabilities
At least two custom phishing kits are circulating among threat actors that support this attack flow:
- Real-time credential relay
- MFA code interception
- Session token capture
- Automatic authentication replay
What was stolen
After Crunchbase refused to pay the ransom, ShinyHunters leaked approximately 400 MB of compressed files on January 23, 2026.
Leaked data includes
| Category | Examples |
|---|---|
| Personal identifiable information | Names, emails, contact details |
| Signed contracts | Business agreements with partners |
| Corporate data | Internal documents |
| Customer information | Company profiles, contact data |
Business impact
Crunchbase aggregates data on private and public companies, funding rounds, investors, and business relationships. The exposure creates risks for:
| Affected Party | Risk |
|---|---|
| Crunchbase customers | Targeted phishing using leaked contacts |
| Business partners | Confidential contract terms exposed |
| Companies in database | Competitive intelligence exposure |
| Investors | Deal information potentially leaked |
Crunchbase response
“Crunchbase detected a cybersecurity incident where a threat actor exfiltrated certain documents from our corporate network. No business operations have been disrupted by this incident. We have contained the incident and our systems are secure.”
Actions taken:
- External cybersecurity specialists engaged
- Federal law enforcement notified
- Data review underway for notification requirements
- Affected systems secured
Part of a larger campaign
Crunchbase was not the only victim. ShinyHunters confirmed they used the same Okta voice phishing technique against multiple organizations.
Known victims
| Organization | Status |
|---|---|
| Crunchbase | Confirmed breach |
| SoundCloud | Confirmed breach (~28M users, ~20% of user base) |
| Betterment | Listed on leak site |
| Panera Bread | Listed on leak site |
| Edmunds | Listed on leak site |
| CarMax | Listed on leak site |
Campaign scope
When asked how many companies they targeted, ShinyHunters told researchers that “100 was close.”
Silent Push researchers confirmed the identity-theft operation targeted more than 100 Okta SSO accounts across “high-value enterprises.”
ShinyHunters background
Group profile
| Attribute | Details |
|---|---|
| Active since | 2020 |
| Specialty | Data theft and extortion |
| Infrastructure | Tor-based leak site |
| Known for | Large-scale breaches |
Connection to Scattered Spider
ShinyHunters has ties to Scattered Spider (also known as Scattered Lapsus$), the collective responsible for:
- 2023 MGM Resorts breach
- 2023 Caesars Entertainment breach
- Multiple high-profile social engineering attacks
Both groups have demonstrated sophisticated social engineering capabilities specifically targeting SSO and identity providers.
Previous ShinyHunters breaches
| Year | Target | Records |
|---|---|---|
| 2020 | Tokopedia | 91 million |
| 2020 | Microsoft (private repos) | Source code |
| 2021 | Multiple companies | Billions of records |
| 2024 | Ticketmaster | 560 million |
| 2026 | Crunchbase campaign | 100+ targets |
Defense implications
This attack underscores the limits of standard MFA against determined attackers with real-time phishing capabilities.
Why traditional controls fail
| Control | Limitation |
|---|---|
| SMS/TOTP MFA | Codes can be phished in real-time |
| Security awareness training | Sophisticated impersonation succeeds |
| URL verification | Pixel-perfect clones defeat visual inspection |
| Help desk verification | Social engineering bypasses procedures |
Effective defenses
| Control | Why It Works |
|---|---|
| FIDO2/WebAuthn hardware keys | No secrets transmitted; phishing-resistant |
| Passkeys | Bound to legitimate domain; can’t be replayed |
| Conditional access policies | Restrict auth to managed devices/known locations |
| Impossible travel detection | Flag authentication from unexpected locations |
| Anomaly detection | Identify unusual access patterns post-authentication |
User awareness gaps
The shift toward real-time phishing kits means even security-conscious users can be compromised:
- URL verification doesn’t help with pixel-perfect clones
- MFA doesn’t help when codes are relayed instantly
- The authentication happens legitimately—it’s just not the user doing it
Recommendations
For organizations using Okta/SSO
| Priority | Action |
|---|---|
| Immediate | Deploy phishing-resistant MFA (FIDO2 keys) |
| Immediate | Review recent authentications for anomalies |
| High | Implement conditional access policies |
| High | Train users on IT support impersonation |
| Ongoing | Monitor for impossible travel patterns |
For security teams
| Control | Implementation |
|---|---|
| Hardware security keys | Require for privileged accounts |
| Device trust | Only allow authentication from managed devices |
| Session monitoring | Alert on bulk data access after new auth |
| Help desk procedures | Out-of-band verification for password resets |
For employees
- Never enter credentials after receiving unsolicited IT support calls
- Verify IT support identity through separate channel (call back known number)
- Report suspicious calls immediately to security team
- Be suspicious of urgency — legitimate IT rarely creates panic
Legal implications
Law firm Schubert Jonckheer & Kolbe announced an investigation into Crunchbase’s data breach, examining:
- Adequacy of security measures
- Timeliness of breach detection
- Notification compliance
- Potential damages for affected individuals
Class action litigation is possible depending on investigation findings.
Context
The Crunchbase breach demonstrates the evolution of credential theft attacks. By combining:
- Voice phishing for social engineering
- Real-time phishing kits for MFA bypass
- SSO targeting for maximum access
…ShinyHunters achieved access that traditional security controls couldn’t prevent.
Organizations relying on SMS or TOTP-based MFA for critical systems should treat this as a wake-up call. Phishing-resistant authentication (FIDO2, passkeys) is no longer optional for high-value accounts—it’s a baseline requirement against determined adversaries.
The broader campaign targeting ~100 organizations suggests many more breaches may be disclosed in coming weeks.