ShinyHunters Data-Extortion Claims Target Crunchbase and Waltio
Crunchbase confirmed a cybersecurity incident after the ShinyHunters cybercrime group claimed it stole over 2 million personal records. ShinyHunters reportedly posted a 402 MB compressed archive online after an extortion attempt failed, and Crunchbase stated the threat actor exfiltrated certain documents from its corporate network. Crunchbase said business operations were not disrupted, the incident was contained, external cybersecurity experts were engaged, and federal law enforcement was notified while the company reviews the exposed data to determine required legal notifications.
In a separate ShinyHunters-linked extortion case, French crypto tax platform Waltio was reported to be facing a ransom threat tied to alleged theft of personal data for nearly 50,000 users, including threatened exposure of users’ 2024 tax reports. Waltio stated its services and production systems remained secure and that no sensitive banking or crypto access data was compromised. The activity aligns with ShinyHunters’ established pattern of data theft and leak-site pressure when ransom demands are not met.
Timeline
Jan 26, 2026
Crunchbase confirms breach and notifies law enforcement
On January 26, 2026, Crunchbase confirmed the breach, said the incident had been contained, and stated that systems were secure and business operations were not disrupted. The company engaged external cybersecurity experts, notified federal law enforcement including the FBI, and began reviewing the exposed data for possible legal notification obligations.
Jan 26, 2026
ShinyHunters leaks 402 MB archive after failed Crunchbase extortion
After an extortion attempt failed, ShinyHunters reportedly published a 402 MB compressed archive containing more than 2 million Crunchbase records on its leak site. The exposed material was described as including personal data and sensitive corporate files.
Jan 24, 2026
Waltio faces extortion threat over nearly 50,000 user records
By January 24, 2026, Waltio was reported to be under extortion by ShinyHunters, which claimed to hold personal data for nearly 50,000 users and threatened to leak 2024 tax reports unless paid. Waltio said its production systems remained secure and that no banking or crypto access data was compromised.
Jan 23, 2026
ShinyHunters posts leaked Crunchbase data on dark web forums
On January 23, 2026, leaked Crunchbase data reportedly appeared on dark web forums. Researcher Alon Gal was cited as independently verifying the authenticity of the exposed data.
Jan 15, 2026
ShinyHunters exfiltrates data from Crunchbase corporate network
By mid-January 2026, the threat actor had reportedly exfiltrated documents and other data from Crunchbase's corporate network without disrupting public-facing services. Crunchbase later said customer databases were not compromised.
Dec 1, 2025
ShinyHunters likely gains Crunchbase access via vishing and stolen Okta credentials
The Crunchbase intrusion likely began in December 2025, when attackers used vishing and social engineering against IT staff to steal Okta single sign-on credentials. This access reportedly enabled later movement inside the corporate environment.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Sources
Related Stories
ShinyHunters Data-Theft and Extortion Targeting CarGurus and Wynn Resorts
**ShinyHunters** is linked to multiple large-scale data-theft and extortion operations, including a breach at automotive marketplace **CarGurus** in February 2026. After an attempted extortion, the stolen CarGurus data was published publicly and reportedly included **12M+ email addresses** across multiple files, with additional exposed information such as names, phone numbers, physical and IP addresses, user account ID mappings, dealer account/subscription details, and auto finance pre-qualification application data (including application outcomes). ShinyHunters also claimed to have stolen **800,000+ records** from **Wynn Resorts** and demanded **22.34 Bitcoin (~$1.5M)** to prevent publication, setting a deadline and threatening further “digital problems” if unpaid. Data samples reviewed by a media outlet reportedly contained employee PII including **Social Security numbers**, names, emails, phone numbers, job details, salaries, start dates, and birthdays; the group alleged initial access occurred in **September 2025** via an **Oracle PeopleSoft vulnerability** combined with an employee’s credentials, and it did not clarify whether the credentials were obtained through social engineering or insider access-for-hire.
1 months ago
ShinyHunters Claims Okta Vishing Campaign and Leaks Data from Crunchbase, Betterment, and SoundCloud
The **ShinyHunters** extortion group claimed responsibility for a recent **Okta SSO voice-phishing (vishing)** campaign used to steal authentication codes and access victim environments. The group told reporters and researchers it used vishing to obtain Okta single-sign-on codes to compromise **Crunchbase** and **Betterment**, and then published alleged stolen data after the organizations reportedly rejected extortion demands; ShinyHunters also said additional victims exist and that more disclosures are forthcoming. ShinyHunters published alleged datasets for **Crunchbase, Betterment, and SoundCloud** on a newly launched leak site, asserting the dumps contain **PII** and large record counts (reported as **>20 million** for Betterment, **~2 million** for Crunchbase, and **~30+ million** for SoundCloud). **SoundCloud** stated it is aware of data published online allegedly taken from its organization and said its security team, supported by third-party experts, is reviewing the claim and the posted data; ShinyHunters asserted SoundCloud access was *not* obtained via SoundCloud’s Okta credentials. SoundCloud had previously confirmed a breach affecting roughly **20% of users** (about **28 million** based on public user counts), while Crunchbase and Betterment had not publicly responded at the time of reporting.
1 months ago
ShinyHunters Claims Carnival and Udemy Breaches in Extortion Campaign
ShinyHunters claimed responsibility for a major breach affecting Carnival Corporation, with data tied to Holland America Line’s **Mariner Society** loyalty program appearing online after an alleged extortion attempt failed. According to Have I Been Pwned, the leaked dataset contained **8.7 million records** and **7.5 million unique email addresses**, including names, dates of birth, genders, and loyalty program status details. Carnival acknowledged a security incident and said it had identified a phishing attack involving a single user account, while continuing to assess the scope of unauthorized access; the gang separately alleged it also stole terabytes of internal corporate data, a claim that had not been independently verified. The same group also posted a **"Pay or Leak"** notice claiming it had compromised Udemy and stolen more than **1.4 million user records** along with internal corporate data, giving the company a deadline before any public release. Udemy had not confirmed the incident at the time of reporting, leaving the claim unverified, but the allegation fits a broader ShinyHunters campaign targeting SaaS and education organizations through social engineering, credential theft, MFA bypass, and abuse of third-party access. The incidents underscore the group’s continued use of extortion-backed data theft to pressure victims and expose customer information.
4 days ago