ZenBusiness Data Breach Added to HIBP With 5.1M Affected Accounts After ShinyHunters Leak

By Ash K
ZenBusiness Data Breach Added to HIBP With 5.1M Affected Accounts After ShinyHunters Leak

ZenBusiness has now moved from alleged extortion target to searchable breach record.

Have I Been Pwned listed a ZenBusiness data breach on 2 May 2026, identifying 5.1 million affected accounts from an incident dated March 2026. For defenders, the important detail is not only the size of the exposure. It is the shape of it: customer identity data, CRM-linked records, and attacker claims involving multiple cloud and business platforms.

What HIBP Added

According to Have I Been Pwned, the ZenBusiness breach contains approximately 5.1 million affected accounts. The compromised data types listed by HIBP are email addresses, names, and phone numbers.

HIBP says the incident began with a March 2026 claim by ShinyHunters, a hacker and extortion group, that it had obtained a substantial volume of ZenBusiness data. The group claimed the data had been taken from platforms including Snowflake, Mixpanel, and Salesforce, and later released the data publicly after claiming a ransom had not been paid.

The breach record describes “many terabytes” of data across thousands of files, apparently originating from multiple systems and business functions, including leads, support records, and other CRM-related data.

Why This Stands Out

This is not the kind of breach where defenders should focus only on password resets and move on. HIBP’s listed data fields do not include passwords, but email addresses, names, and phone numbers are enough to fuel targeted phishing, customer impersonation, business email compromise pretexting, and account recovery abuse.

ZenBusiness serves entrepreneurs, LLC owners, registered agent customers, and small business operators. That matters because exposed contact data may map directly to business ownership, company formation activity, support history, or customer intent. Even when the leaked fields look basic, the surrounding business context can make them far more useful to attackers.

Cybernews reported on 26 March 2026 that ShinyHunters threatened to leak “several terabytes” of ZenBusiness data unless a ransom was paid, and said the group claimed access through platforms including Snowflake, Mixpanel, and Salesforce. HIBP’s later listing gives the incident a measurable exposed-account count and confirms the data was publicly released.

Operational Risk for Customers and Defenders

The immediate risk is identity-driven abuse. Attackers do not need passwords to make a phishing message credible. A real name, email address, phone number, and association with a business formation service can support convincing lures about annual reports, compliance deadlines, registered agent notices, tax filings, payment updates, or account verification.

For security teams, the recommended first step is exposure validation. Users and organizations should check whether company-controlled email addresses appear in the ZenBusiness breach via HIBP or a trusted breach-monitoring provider. Where exposed addresses are tied to privileged roles, finance teams, founders, legal contacts, or customer support workflows, monitoring should be tightened.

Customers should also watch for unusual calls, SMS messages, and emails referencing ZenBusiness, LLC filings, compliance services, invoices, or business registration documents. Phone numbers in breach data increase the chance of multi-channel social engineering, where attackers begin with email and escalate to voice or SMS to create urgency.

What Organizations Should Do Now

Organizations with ZenBusiness-linked accounts should review exposed email addresses, confirm password uniqueness, and enable multi-factor authentication wherever those addresses are used. Even where passwords were not listed as exposed, breached identity data can still increase credential stuffing success if users reused passwords elsewhere.

Security teams should add ZenBusiness-themed lures to phishing detection logic and user awareness prompts, especially around compliance deadlines, business registration renewals, registered agent notices, and payment requests. Help desks and finance teams should be warned that attackers may reference real customer or business details to bypass normal skepticism.

For ZenBusiness and similarly exposed SaaS-driven businesses, the broader lesson is about telemetry and blast-radius control across cloud data ecosystems. When customer data is distributed across CRM, analytics, support, and warehouse platforms, breach response cannot be limited to one application. The investigation has to map where the same identity data lived, who accessed it, how it moved, and whether third-party tokens or integrations were involved.

NeuraCyb's Assessment

The ZenBusiness listing fits a familiar 2026 pattern: extortion groups turning cloud business platforms into high-value data collection points. Salesforce, Snowflake, analytics tools, and support systems often hold exactly the data attackers need for downstream fraud, even when they do not contain passwords or payment card numbers.

That is why this breach should be treated as more than a customer notification event. It is a reminder that CRM and support data are operationally sensitive. They reveal relationships, timing, intent, and trust paths. Once that context is public, attackers can reuse it long after the headline fades.

The practical takeaway is simple: check exposure, harden accounts, monitor customer-facing abuse, and assume attackers will use the business context around the data — not just the fields inside it.

References

Have I Been Pwned: ZenBusiness Data Breach

Have I Been Pwned: Who’s Been Pwned breach index

Cybernews: ShinyHunters threatens ZenBusiness with data leak

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.