ShinyHunters Data-Extortion Claims Target Crunchbase and Waltio
Crunchbase confirmed a cybersecurity incident after the ShinyHunters cybercrime group claimed it stole over 2 million personal records. ShinyHunters reportedly posted a 402 MB compressed archive online after an extortion attempt failed, and Crunchbase stated the threat actor exfiltrated certain documents from its corporate network. Crunchbase said business operations were not disrupted, the incident was contained, external cybersecurity experts were engaged, and federal law enforcement was notified while the company reviews the exposed data to determine required legal notifications.
In a separate ShinyHunters-linked extortion case, French crypto tax platform Waltio was reported to be facing a ransom threat tied to alleged theft of personal data for nearly 50,000 users, including threatened exposure of users’ 2024 tax reports. Waltio stated its services and production systems remained secure and that no sensitive banking or crypto access data was compromised. The activity aligns with ShinyHunters’ established pattern of data theft and leak-site pressure when ransom demands are not met.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Crunchbase confirms breach and notifies law enforcement
On January 26, 2026, Crunchbase confirmed the breach, said the incident had been contained, and stated that systems were secure and business operations were not disrupted. The company engaged external cybersecurity experts, notified federal law enforcement including the FBI, and began reviewing the exposed data for possible legal notification obligations.
ShinyHunters leaks 402 MB archive after failed Crunchbase extortion
After an extortion attempt failed, ShinyHunters reportedly published a 402 MB compressed archive containing more than 2 million Crunchbase records on its leak site. The exposed material was described as including personal data and sensitive corporate files.
Waltio faces extortion threat over nearly 50,000 user records
By January 24, 2026, Waltio was reported to be under extortion by ShinyHunters, which claimed to hold personal data for nearly 50,000 users and threatened to leak 2024 tax reports unless paid. Waltio said its production systems remained secure and that no banking or crypto access data was compromised.
ShinyHunters posts leaked Crunchbase data on dark web forums
On January 23, 2026, leaked Crunchbase data reportedly appeared on dark web forums. Researcher Alon Gal was cited as independently verifying the authenticity of the exposed data.
ShinyHunters exfiltrates data from Crunchbase corporate network
By mid-January 2026, the threat actor had reportedly exfiltrated documents and other data from Crunchbase's corporate network without disrupting public-facing services. Crunchbase later said customer databases were not compromised.
ShinyHunters likely gains Crunchbase access via vishing and stolen Okta credentials
The Crunchbase intrusion likely began in December 2025, when attackers used vishing and social engineering against IT staff to steal Okta single sign-on credentials. This access reportedly enabled later movement inside the corporate environment.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Crunchbase Data Breach: ShinyHunters Exposes 2M+ Records - TheCyberThrone
thecyberthrone.in
Open sourceShinyHunters claims 2 Million Crunchbase records; company confirms breach
securityaffairs.com
Open sourceFrance’s Waltio faces ransom threat from notorious hacker collective - DataBreaches.Net
databreaches.net
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ShinyHunters Data-Theft and Extortion Targeting CarGurus and Wynn Resorts
**ShinyHunters** is linked to multiple large-scale data-theft and extortion operations, including a breach at automotive marketplace **CarGurus** in February 2026. After an attempted extortion, the stolen CarGurus data was published publicly and reportedly included **12M+ email addresses** across multiple files, with additional exposed information such as names, phone numbers, physical and IP addresses, user account ID mappings, dealer account/subscription details, and auto finance pre-qualification application data (including application outcomes). ShinyHunters also claimed to have stolen **800,000+ records** from **Wynn Resorts** and demanded **22.34 Bitcoin (~$1.5M)** to prevent publication, setting a deadline and threatening further “digital problems” if unpaid. Data samples reviewed by a media outlet reportedly contained employee PII including **Social Security numbers**, names, emails, phone numbers, job details, salaries, start dates, and birthdays; the group alleged initial access occurred in **September 2025** via an **Oracle PeopleSoft vulnerability** combined with an employee’s credentials, and it did not clarify whether the credentials were obtained through social engineering or insider access-for-hire.
Mar 21, 2026
ShinyHunters Claims Okta Vishing Campaign and Leaks Data from Crunchbase, Betterment, and SoundCloud
The **ShinyHunters** extortion group claimed responsibility for a recent **Okta SSO voice-phishing (vishing)** campaign used to steal authentication codes and access victim environments. The group told reporters and researchers it used vishing to obtain Okta single-sign-on codes to compromise **Crunchbase** and **Betterment**, and then published alleged stolen data after the organizations reportedly rejected extortion demands; ShinyHunters also said additional victims exist and that more disclosures are forthcoming. ShinyHunters published alleged datasets for **Crunchbase, Betterment, and SoundCloud** on a newly launched leak site, asserting the dumps contain **PII** and large record counts (reported as **>20 million** for Betterment, **~2 million** for Crunchbase, and **~30+ million** for SoundCloud). **SoundCloud** stated it is aware of data published online allegedly taken from its organization and said its security team, supported by third-party experts, is reviewing the claim and the posted data; ShinyHunters asserted SoundCloud access was *not* obtained via SoundCloud’s Okta credentials. SoundCloud had previously confirmed a breach affecting roughly **20% of users** (about **28 million** based on public user counts), while Crunchbase and Betterment had not publicly responded at the time of reporting.
Mar 21, 2026
ShinyHunters Publishes Stolen Data From Bumble, Match Group, and Dozens of Firms
ShinyHunters has published a broad trove of allegedly stolen data affecting more than 40 organizations across retail, healthcare, hospitality, insurance, and consumer services, with reporting tying the leak campaign to victims including **Bumble**, **Match Group**, **Mytheresa**, **Zara**, **Carnival**, and **7-Eleven**. Researchers said the exposed material includes personally identifiable information, customer and transaction records, internal corporate files, and multi-terabyte datasets; one of the largest alleged exposures involved **Medtronic**, where roughly **9 million records** were reportedly listed before that entry was later removed from the leak site. The campaign reflects ShinyHunters' continued shift from ransomware-style encryption to **data theft and extortion**, with the group allegedly threatening to keep victim data available indefinitely on criminal platforms. Separate reports said the actors claimed to have stolen about **10 million records** from dating-app companies, while researchers also linked leaked **Bumble** data to the same operation after an earlier claim that roughly **30GB** had been taken from the company. The disclosures echo a wider criminal pattern in which stolen sensitive data is leaked to pressure victims after exfiltration, including in healthcare breaches such as the Change Healthcare incident.
Jun 7, 2026