ZenBusiness Breach: 5.1M Records Exposed (2026)

Overview

On March 12, 2026, the hacker and extortion group “ShinyHunters” claimed responsibility for a massive data breach affecting ZenBusiness, a popular business formation and compliance platform. The group alleged they exfiltrated data from ZenBusiness’s third-party cloud platforms, including Snowflake, Mixpanel, and Salesforce, threatening to release the information unless a ransom was paid. The compromised database, now verified on Have I Been Pwned, contains records for 5,118,184 users. This breach represents a significant supply-chain attack, as ZenBusiness itself may not have been directly compromised, but the attackers accessed sensitive customer data through its vendor ecosystem.

What Was Exposed

The stolen dataset includes three key types of personally identifiable information (PII):

• Email Addresses: Primary identifiers for account access and communication.
• Names: Full names tied to business formation documents.
• Phone Numbers: Direct contact details for individuals and businesses.

While no financial data, Social Security numbers, or business tax IDs were reported exposed, the combination of email, name, and phone number is a potent recipe for targeted phishing and social engineering attacks. ZenBusiness customers are often entrepreneurs, making them high-value targets for scams impersonating business registration, tax, or compliance authorities.

How the Breach Happened

ShinyHunters claimed the data was stolen from third-party platforms ZenBusiness relied on for analytics, customer relationship management, and data storage. Specifically, the group targeted Snowflake (cloud data warehousing), Mixpanel (product analytics), and Salesforce (CRM). If true, this is not a breach of ZenBusiness’s own infrastructure but a compromise of its supply chain - attackers likely exploited misconfigured integrations, stolen API keys, or weak authentication on these third-party services. This pattern mirrors the 2024 Snowflake attacks, where hundreds of companies had customer data exfiltrated via compromised credentials.

The Attacker

ShinyHunters is a well-known hacking group with a history of extorting companies after stealing data. They have previously targeted major firms like AT&T, Microsoft (in 2023), and others. Their modus operandi is to claim a breach, post samples publicly, and then threaten to leak the full database unless a ransom is paid. In this case, the group’s claim and the subsequent HIBP verification suggest the data is legitimate and likely circulating on underground forums.

What to Do Right Now

If you have a ZenBusiness account, take these steps immediately:

1. Check Have I Been Pwned: Visit haveibeenpwned.com and search your email address. The ZenBusiness breach is indexed, so you can verify if your data is included.
2. Enable Multi-Factor Authentication (MFA): If your ZenBusiness account supports MFA, enable it immediately. The exposed email can be used for password reset attempts.
3. Be Alert for Phishing: Expect targeted emails or SMS messages pretending to be from ZenBusiness, business registration agencies, or tax authorities. Do not click links in unsolicited messages.
4. Monitor for SIM Swapping: With phone numbers exposed, attackers may attempt to port your number to a new carrier. Contact your mobile provider to add a port-out PIN or SIM swap protection.
5. Update Security Questions: Avoid using easily guessable answers tied to publicly available information (e.g., your name, birth year).

Security Insight

This breach underscores the systemic risk of third-party data ecosystems. ZenBusiness may have robust internal security, but customer data was breached upstream via vendor integrations - a failure of supply-chain oversight. The involvement of Snowflake, a platform central to many startups’ data stacks, suggests that companies must treat vendor data access as an extension of their own attack surface. For business formation services, the exposure of names and phone numbers is especially dangerous, as attackers can pair this data with public business records to craft convincing impersonation scams.

Further Reading

• All High Breaches
• Recent Data Breaches