ShinyHunters claim to have leaked millions of records from SoundCloud and Crunchbase after failed extortion attempts, with possible links to an Okta vishing campaign.
The notorious ShinyHunters hackers are back in the news. The group has set up a dark web .onion leak site and has published alleged partial databases linked to three companies. These include SoundCloud, a global audio streaming platform, Crunchbase, which provides data on private and public companies, and Betterment, an American financial advisory company.
The leak spree began yesterday, on 22 January 2026, when messages appeared on the group’s Telegram chat account containing links to .onion domains. These links offered the public free access to the alleged data dumps. According to the group, the leaks were carried out after their extortion attempts against the affected companies were denied.
“We are after corporate regime change in all parts of the world. Pay or leak. We will aggressively and viciously come after you once we have your data. By the time you are listed here, it will be too late. Next time. You will learn from it. It will ALWAYS be your best decision, choice, and option to engage with us and come to an agreement with us. Proceed wisely,” the group’s message on the leak site says.
It is worth noting that in December 2025, SoundCloud acknowledged a data breach that impacted around 20 percent of its user base. With SoundCloud reporting between 175 and 180 million users, this places the total at roughly 35 to 36 million accounts. That figure closely matches the number of impacted users claimed by ShinyHunters.
In total, the alleged data includes more than 20 million records linked to Betterment containing Personally Identifiable Information, over 2 million alleged records from Crunchbase, and more than 30 million records associated with SoundCloud that are now circulating online.
Okta Connection?
On 22 January 2026, Okta, a cloud-based Identity and Access Management service, issued a security advisory warning of an Okta SSO vishing campaign that has already resulted in multiple victims, though the exact number remains unknown.
According to a LinkedIn post from Alon Gal of Hudson Rock, a cybersecurity firm based in Israel, ShinyHunters contacted him to confirm that the group is also behind the Okta SSO vishing campaign and claimed that additional leaks will follow.
This raises the question of whether all three alleged data breaches are linked to Okta. That remains unclear. To address this, Hackread.com has contacted ShinyHunters directly seeking clarification.
Meanwhile, the alleged data linked to all three companies remains available for download. Hackread.com has observed evidence that the download links are now being circulated across major cybercrime forums, including French and Russian language communities.
Hackread.com has also reached out to SoundCloud, Crunchbase, and Betterment for comment. Until the companies involved confirm the authenticity of the data, the alleged breaches should be treated strictly as claims.
SoundCloud Issues Statement on Incident
A SoundCloud spokesperson reached out to Hackread.com and shared an update on the incident, stating that the company detected unauthorized activity in an ancillary service dashboard in mid December and took immediate action to contain the issue, engage third-party cybersecurity experts, and conduct a thorough investigation.
According to the company’s blog post, its investigation confirmed that no sensitive data like passwords or financial information was accessed and that the impacted data was limited to email addresses and information already visible on public profiles, affecting about one-fifth of its user base.
SoundCloud also noted that a group claiming responsibility has made public assertions and conducted email flooding tactics, but the company says there is no evidence supporting those broader claims, and it is working with law enforcement while strengthening defenses and reinforcing monitoring, access controls, and other security measures. You can read SoundCloud’s full statement here, attributed to a SoundCloud spokesperson
