Crunchbase Data Breach Investigation: Are Subscribers, California, NY & Texas Startups at Risk?

By Logan Lowe
Attorney

Woods Lonergan PLLC is a nationally recognized complex commercial and civil litigation firm that represents clients in select data breach class actions nationwide. Our attorneys have a proven record of holding national corporations, educational institutions, and technology vendors accountable when failures in cybersecurity expose the sensitive personal, financial, and educational information of consumers and businesses.

On January 26, 2026, the business intelligence platform Crunchbase confirmed a significant cybersecurity incident following reports that over 2 million files containing corporate documents and personally identifiable information (PII) were exfiltrated from its network. This breach is not a standard consumer email leak; with 400MB of sensitive data already released, this incident strikes at the heart of the B2B trust economy.

If you have a paid Crunchbase subscription, a Company Profile, or are an employee of Crunchbase, reports indicate your proprietary and personal data could be at risk.

The exposure in the Crunchbase data breach is heavily concentrated in regions with high venture capital activity, disproportionately affecting founders and investors in California, New York, Massachusetts, and Texas. If your firm relies on Crunchbase to store deal terms, contracts, or executive contact lists, the exposure of your competitive intelligence could be devastating.

Who was impacted by the Crunchbase Data Breach and What Data is at risk?

The data reportedly stolen is highly specific to the professional ecosystem. You are likely part of the exposed dataset if you fall into one of these categories:

• Paid Subscribers (Pro/Enterprise): Users who rely on the platform for lead generation. If your login credentials and saved lists were compromised, hackers could potentially pivot into your own internal CRM systems.
• Startup Founders (CA, NY, MA,TX): Founders often use personal email addresses (Gmail/Outlook) for early-stage contracts. This breach potentially links those personal identities to high-value corporate secrets, making you a prime target for “Whaling” attacks.
• Venture Capitalists (VCs): Members of the “Venture Program” who submit monthly portfolio updates. Private investment notes, “stealth mode” deal terms, and partner cell phone numbers may be in the exfiltrated documents.
• Employees: Internal Crunchbase staff and potentially HR data from partner organizations.

Publicly traded companies are required to notify affected parties whose data may be at risk. However, in this instance, check your inbox and the Crunchbase website immediately for updates. If you suspect your data was exposed, Call Our Data Breach Lawyers  24/7 at (332) 378-0376 or email loganlowe@woodslaw.com for a free and confidential consultation. 

Details of the Crunchbase Infiltration: Data Breach by ShinyHunters

Reports suggest this may not have been a case of a sophisticated “hack” of encrypted code, but rather a manipulation of human trust targeting Crunchbase employees.

According to forensic analysis by threat intelligence firms, the attackers—identified as the notorious ShinyHunters group—reportedly utilized “Vishing” (Voice Phishing) to breach the network.

• The Vulnerability: The “Human Firewall.” Attackers allegedly called Crunchbase support or IT staff, impersonating internal employees, to bypass security protocols linked to Okta Single Sign-On (SSO) credentials.
• The Exfiltration: Once inside, reports indicate they located and exfiltrated a massive cache of internal documents rather than just scraping public data.
• The Ransom: It has been reported that Crunchbase refused to pay the ransom. Following this refusal, ShinyHunters released a 400MB compressed archive of the stolen files to the public.

“ShinyHunters contacted him [Alon Gal] to confirm that the group is also behind the Okta SSO vishing campaign and claimed that additional leaks will follow.”

— Security Affairs

Investigating Security Lapses: Did Crunchbase Fail to Protect Data?

Subscribers pay premiums for Crunchbase “Pro” and “Enterprise” specifically because the company promised a secure environment for sensitive business data.

On their own website, Crunchbase states:

“Crunchbase is committed to being a trusted and secure platform for best-in-class company data. We are Service Organization Control 2 (SOC 2) Type II compliant.”

They further highlight their verification processes:

“Our team of data analysts provides live data verification 24 hours a day, 365 days a year.”

Despite these assurances of verification and SOC 2 compliance, third-party analysis indicates that attackers were able to exfiltrate “signed contracts” and “executive contacts”—documents that subscribers reasonably expect to be behind the highest walls of encryption.

“Alon Gal, CTO of threat intelligence company Hudson Rock, has analyzed the leaked Crunchbase data and found personally identifiable information (PII), contracts, and other corporate data.”

— SecurityWeek

The Blast Radius: Why Tech Hubs Are Primary Targets in the Crunchbase Data Breach

The exposure is heavily concentrated in regions with high venture capital activity.

• California (Silicon Valley / San Francisco): Home to the highest density of “Unicorn” data and founders.
• New York (Silicon Alley): A hub for Fintech and Media, where strict data privacy laws like the SHIELD Act apply.
• Massachusetts (Boston): Biotech and Robotics firms with high-value intellectual property.
• Texas (Austin / Dallas): A rapidly growing hub for enterprise software and tech migration, where many “Venture Program” partners operate.

According to Crunchbase’s own data:

“Crunchbase has the largest partnership with the venture community with 4,000+ members in our Venture Program… 600,000+ executives, entrepreneurs, and investors update over 100,000 company profiles per month.”

Crunchbase’s Corporate Response & Next Steps

Crunchbase has stated they are working with federal law enforcement. However, for many users, the data is already circulating.

“Upon detecting the incident we engaged cybersecurity experts to assist us and we contacted federal law enforcement… As part of our incident response procedures we are reviewing the impacted information to determine if any notifications are required.”

— Crunchbase Statement

Proprietary data requires proprietary protection.

If your firm maintains a Crunchbase Subscription or if your Company Profile data was exposed in this breach, your competitive advantage may be at risk.

If you suspect your data was exposed, Call Our Data Breach Lawyers  24/7 at (332) 378-0376 or email loganlowe@woodslaw.com for a free and confidential consultation. 

About Woods Lonergan PLLC

Woods Lonergan PLLC is a nationally recognized plaintiff firm specializing in complex civil litigation, including class action, data privacy, and cybersecurity matters. We have a proven track record of successfully holding corporations accountable for data breaches and protecting the rights of consumers and businesses.

Our firm is currently representing plaintiffs in open litigation for numerous significant data breaches in 2025, including cases involving Powerschool, Ahold Delhaize, Aflac Insurance, Allianz Insurance, Johnson Controls, Community Health Center, Columbia University, DISA Global Solutions, and New Haven Health.

Notably, in 2025, Woods Lonergan settled the 23andMe Data Breach Lawsuit for $30 million in the Northern District of California, reached an $18 million settlement in the Yale New Haven Health data breach, and secured a multi-million dollar settlement in the Sunflower Medical Group data breach case in the U.S. District Court for the District of Kansas.

Contact Our Corporate Data Privacy Team

If your firm maintains a Crunchbase Subscription or if your Company Profile data was exposed in this breach, your competitive advantage may be at risk.

Call Our Data Breach Lawyers 24/7 at (332) 378-0376 or email loganlowe@woodslaw.com for a free and confidential consultation.

Woods Lonergan takes no fees unless we win.

Frequently Asked Questions (FAQs)

How will I be notified since Crunchbase is a private company?

Because Crunchbase is a privately owned entity, they are not required to file public disclosures like an 8-K with the SEC in the same manner as a public corporation. Notification may come via a direct email to the address on file or a “Notice of Data Breach” posted on their website footer. It has been reported that Crunchbase is currently reviewing the impact to determine if legal notifications are required.

Was my API key exposed in the Crunchbase breach? 

While initial reports confirm the exfiltration of documents and PII, “corporate documents” could potentially contain hardcoded API keys or integration secrets if they were included in technical documentation or contracts. We recommend rotating all Crunchbase API keys immediately as a precaution.

Does this breach affect the Crunchbase Salesforce integration? 

Attackers often target CRM integrations to pivot into broader corporate networks. If you use the Crunchbase Salesforce integration, we advise reviewing your access logs for any unusual activity, as ShinyHunters is known for targeting Salesforce vulnerabilities.

I use 2FA on Crunchbase; am I safe? 

Not necessarily. This breach involved the exfiltration of documents from the corporate network, not just a credential stuffing attack on the front end. Even if your account is locked down with 2FA, the contracts you uploaded or signed may have been stolen from the backend servers.

Is this related to the TechCrunch news site? 

No. Crunchbase spun out of TechCrunch in 2015 and is a separate independent entity. TechCrunch user data is not believed to be involved in this specific incident.

Can my company sue if we lost a deal because of this leak?

Yes. Woods Lonergan is actively investigating these claims as details of the breach unfold. This is a key distinction of B2B breaches. If “stealth mode” deal terms or proprietary trade secrets were allegedly leaked, causing demonstrable financial loss (e.g., a competitor undercutting a bid), your company may have a claim for Tortious Interference or Loss of Business Value.

I signed a “Class Action Waiver” or “Arbitration Clause” in the Crunchbase Terms of Service. Can I still sue?

It depends on the jurisdiction and the nature of the claim. In states like California, arbitration clauses can sometimes be successfully challenged if they are deemed unconscionable or if the claim involves “public injunctive relief” (under the McGill rule). Additionally, waivers may not apply if the conduct is found to constitute gross negligence rather than simple negligence. Woods Lonergan can evaluate the specific terms you signed to determine your legal options.

As a paid subscriber, can I sue for more than just my subscription cost?

Yes. While the breach of contract may involve subscription fees, plaintiffs in data breach class actions often pursue claims based on negligence, breach of implied contract, and breach of fiduciary duty. In successful settlements, named plaintiffs (Class Representatives) are frequently eligible for service awards that significantly exceed basic reimbursement, acknowledging their role in holding the corporation accountable.

Does the fact that Crunchbase allegedly refused to pay the ransom affect my legal rights?

It appears it might. While companies are generally advised not to pay ransoms, if it can be proven that Crunchbase lacked adequate backups or encryption that would have made the stolen data useless to the hackers, their security practices could be scrutinized in litigation regarding their duty to mitigate harm.

Am I liable if my own clients’ data was exposed through my Crunchbase account?

This is known as “Downstream Liability,” and it is a major concern for B2B users. If you used Crunchbase to store sensitive client info that was subsequently leaked, your clients might look to hold you responsible. Joining a class action or filing a cross-complaint against Crunchbase can be a critical step in demonstrating that you are taking action to mitigate these damages and recover losses on behalf of your clients.

I am a founder with a personal email listed on Crunchbase. Can I join a lawsuit?

Yes. Even if you used Crunchbase for business purposes, if your personally identifiable information (PII)—such as your personal Gmail, home address, or social security number found in contracts—was exposed, you may have standing to sue as an individual for negligence and invasion of privacy.

What should I do if I find my contract on the dark web?

Immediately document the URL and take a screenshot (if safe to do so) as evidence. Do not pay any individual demanding money to remove it. Then, contact a data privacy attorney immediately. The presence of your contract on the dark web is strong evidence of “concrete injury,” which is critical for establishing standing in federal court.

Sources & Citations

• SecurityWeek: Crunchbase Confirms Data Breach After Hacking Claims 
• Security Affairs: ShinyHunters claims 2 Million Crunchbase records; company confirms breach 
• BankInfoSecurity : Voice Phishing Okta Customers: ShinyHunters Claims Credit 
• Crunchbase Official Data Use Policy (SOC 2 Claims): 
• Crunchbase Data Access Terms

About the Author

Logan Lowe joined Woods Lonergan PLLC in 2009. Since that time, Logan has worked diligently on the firm’s intellectual property and technology law matters, collaborating with the firm’s litigation group on nearly all intellectual property disputes. Logan’s area of concentration includes developing technology, cybersecurity, cryptocurrency, block-chain technology, and GDPR compliance.