Crunchbase Confirms Data Breach

Crunchbase Confirms Data Breach After Hacking Claims

Market intelligence firm Crunchbase has confirmed a data breach after hackers published files allegedly stolen from its systems.

The notorious ShinyHunters cybercrime group claims to have stolen more than 2 million records containing personal information from Crunchbase.

The hackers have made available more than 400 MB of compressed files for download on their website after the company refused to pay a ransom.

“Crunchbase detected a cybersecurity incident where a threat actor exfiltrated certain documents from our corporate network. No business operations have been disrupted by this incident. We have contained the incident and our systems are secure,” Crunchbase said in a statement to SecurityWeek.

“Upon detecting the incident we engaged cybersecurity experts to assist us and we contacted federal law enforcement. Crunchbase is aware that the threat actor posted certain information online. As part of our incident response procedures we are reviewing the impacted information to determine if any notifications are required consistent with applicable legal requirements,” it added.

Comcast to Pay $117.5 million to Settle Data Breach Case

Comcast has agreed to pay $117.5 million to settle a proposed class-action lawsuit stemming from an October 2023 data breach, after plaintiffs alleged the company failed to use adequate cybersecurity measures to protect sensitive customer information.

The settlement, released Friday by U.S. Judge John Milton Younge, received preliminary court approval Jan. 16, 2026, and would cover about 31.7 million people in the U.S. and its territories who received individual notice from Comcast about the breach, according to the agreement.

In the settlement papers, Comcast said it “denies all material allegations” and specifically disputed claims that it failed to protect personal information, maintained inadequate data security, was unjustly enriched through the use of personal data, violated the federal Cable Act or state consumer laws, or provided improper notice to affected individuals.

Attackers Hijack Microsoft Email Accounts to Launch Phishing Campaign Against Energy Firms

Cybercriminals have compromised Microsoft email accounts belonging to organizations in the energy sector and used those trusted inboxes to distribute large volumes of phishing emails. In at least one confirmed incident, more than 600 malicious messages were sent from a single hijacked account.

Microsoft security researchers explained that the attackers did not rely on technical exploits or system vulnerabilities. Instead, they gained access by using legitimate login credentials that were likely stolen earlier through unknown means. This allowed them to sign in as real users, making the activity harder to detect.

The attack began with emails that appeared routine and business-related. These messages included Microsoft SharePoint links and subject lines suggesting formal documents, such as proposals or confidentiality agreements. To view the files, recipients were asked to authenticate their accounts

EU Cyber Resilience Act: Key 2026 milestones toward CRA compliance

The EU Cyber Resilience Act (“CRA”) establishes mandatory cybersecurity requirements for most hardware and software products made available on the EU market. While the CRA's date of full application (11 December 2027) is still ahead, 2026 is the year in which first obligations take effect and key operational infrastructure becomes available.

In particular, the manufacturers' obligations to notify actively exploited vulnerabilities and severe incidents will start to apply, the notified-body framework for conformity assessment will become operational, and the first standards are expected to be finalized.

This article provides an overview of the recent developments and upcoming key milestones for CRA compliance that manufacturers and other economic operators should consider in their compliance projects to avoid last-minute bottlenecks.

NIST issues draft Transit Community Profile to support cybersecurity programs across transit agencies

The U.S. National Institute of Standards and Technology, through its National Cybersecurity Center of Excellence (NCCoE), has released an initial public draft of NIST Internal Report 8576. Titled ‘the Transit Cybersecurity Framework Community Profile,’ the draft aligns with transit sector priorities and best practices, with the intention to help agencies prioritize cybersecurity activities and outcomes or serve as a starting point for building a new program. The public comment period for the Transit Community Profile draft is open through Feb. 23, 2026.

The Transit Profile is designed to complement, not replace, existing cybersecurity programs, guidelines, or policies that transit agencies already have in place. It suggests prioritization of cybersecurity outcomes to meet specific strategic business/mission focus areas for the transit community and identifies relevant and actionable security practices that can be implemented in support of those areas.

National Cybersecurity Alliance Launches Data Privacy Week 2026

The National Cybersecurity Alliance (NCA) today announced the launch of Data Privacy Week 2026, taking place from January 26 to January 30, 2026. Centered on the theme “Take Control of Your Data,” the initiative underscores the growing need for individuals and organizations to better understand how their personal information is collected, shared, and used – and how small, informed actions can help protect their privacy.

The week-long initiative will feature live and pre-recorded webinars, interactive panels, and educational sessions. These programs are designed to help individuals, families, businesses and organizations better understand how their data is collected, stored, and used.

“Data Privacy Week 2026 gives individuals, families, and organizations the opportunity to better understand the many ways their personal information moves through the digital world,” said Lisa Plaggemier, Executive Director of the NCA. “From AI chatbots and algorithmic pricing to age verification and educational technology, these sessions provide practical guidance and insights to help everyone make informed decisions about their data and protect their privacy online.”