An unidentified hacker recently disclosed a significant data scrape on Crunchbase in 2024, resulting in a substantial leak of company and user data. The breach includes details from approximately 3.1 million companies and 1.2 million users, raising concerns about the potential misuse of the aggregated information. Although the scraped data might have been publicly accessible, the sheer volume of information, encompassing contacts, social media accounts, locations, and organizational hierarchy, poses risks of large-scale spear phishing attacks and enhanced capabilities in social engineering for malicious actors.
The alleged Crunchbase data breach could have serious ramifications, given the platform’s role in providing comprehensive business information, including investment details, leadership profiles, and corporate news. The leak potentially exposes sensitive and public information related to employees, company funding, and other organizational data. Threat researcher Alon Gal emphasized the severity of the situation, describing the hacker’s actions as a “massive scrape” on Crunchbase. The hacker’s dark web post included a downloadable CSV file containing extensive company and user details, underscoring the breadth of the data breach.
Efforts to verify the alleged Crunchbase data breach by seeking an official statement or response from the organization have been inconclusive. As of the time of writing, Crunchbase has neither confirmed nor denied the breach, leaving the claims unverified from the company’s side. The incident underscores the serious data protection concerns associated with unauthorized data scraping, potentially violating data protection rules, including regulations like the General Data Protection Regulation (GDPR). Such activities could lead to unlawful processing of personal data and various risks, including unsolicited direct marketing, identity theft, profiling, monitoring, and personal data breaches.
