ShinyHunters claim theft of 1.7M CarGurus records, threaten leak
Summary
ShinyHunters claims to have stolen 1.7M CarGurus records, including PII and internal data, via voice phishing for SSO codes. CarGurus has not responded.
ShinyHunters claims CarGurus data breach
Cybercrime group ShinyHunters claims it stole 1.7 million corporate records from online vehicle marketplace CarGurus. The group posted the company to its extortion leak site on Wednesday and threatened to release the data if the firm does not respond by February 20, 2026.
The stolen files allegedly contain personally identifiable information (PII) and internal corporate data. ShinyHunters warned that a failure to negotiate would result in "annoying digital problems" for the automotive platform. CarGurus has not yet issued a public statement regarding the claims or the validity of the leaked samples.
This incident is part of a massive hacking spree that began in early 2024. The group claims it breached CarGurus on February 13 using sophisticated social engineering tactics. These attacks specifically target the authentication infrastructure that modern corporations rely on for remote work.
Vishing attacks bypass corporate security
The attackers used voice phishing, also known as "vishing," to gain access to CarGurus' systems. This method involves calling employees and posing as IT support staff or security administrators. The hackers convince workers to provide Single Sign-On (SSO) codes or approve multi-factor authentication (MFA) prompts.
ShinyHunters successfully targeted credentials for three major service providers during this campaign:
- Okta authentication tokens
- Microsoft Entra (formerly Azure AD) login credentials
- Google corporate account access
By obtaining these codes, the hackers bypass traditional password protections. They gain the same level of access as a legitimate employee, allowing them to move laterally through internal networks. This technique has proven highly effective against companies that rely on cloud-based identity management.
Financial firms face massive data leaks
The CarGurus breach is one of 15 major intrusions claimed by ShinyHunters and an affiliate group, Scattered Lapsus$ Hunters, since January. The hackers also targeted the financial services sector, listing Mercer Advisors and Beacon Pointe Advisors on their leak site this week. These firms manage billions of dollars in assets for private clients and institutional investors.
The extortionists claim to hold 5 million records from Mercer Advisors and 100,000 records from Beacon Pointe. They set a deadline of Wednesday for both companies to begin negotiations. Neither firm has responded to requests for comment or posted official breach notifications on their websites.
Blockchain lending firm Figure Technology Solutions also confirmed a breach following its appearance on the ShinyHunters site. The hackers reportedly stole nearly 1 million customer records from the company's database. Figure representatives stated that a socially engineered employee inadvertently allowed the actor to download files.
Automotive marketplaces remain primary targets
CarGurus is not the only automotive platform caught in this wave of attacks. The hackers previously listed Carvana and Edmunds as victims of unrelated intrusions. These sites hold vast amounts of consumer data, including credit applications, home addresses, and vehicle identification numbers.
The hackers claim the Carvana and Edmunds breaches occurred earlier than the current vishing campaign. However, the timing of the leaks suggests a coordinated effort to pressure the automotive industry. Car buying sites are lucrative targets because they bridge the gap between retail commerce and financial services.
ShinyHunters often sits on stolen data for months or years before making it public. This strategy allows them to maximize the pressure on companies during sensitive periods, such as quarterly earnings reports or merger negotiations. The group has a long history of targeting high-profile tech companies, including Microsoft and AT&T.
Retail and dating apps compromised
The hacking spree extends into the retail and lifestyle sectors, affecting millions of users across different platforms. Canada Goose confirmed that a "historical dataset" involving customer transactions appeared online recently. The jacket manufacturer declined to specify the age of the data or the total number of affected customers.
Panera Bread also fell victim to the campaign, with hackers claiming access via a Microsoft Entra SSO code. This breach highlights the risk to quick-service restaurant chains that store payment information and loyalty program data. The hackers frequently target these "soft" targets to build a massive repository of consumer PII.
The Match Group, which operates several of the world's largest dating platforms, also suffered intrusions. The group claims to have compromised data from the following sites:
- Hinge
- Match.com
- OkCupid
Investment platform Betterment was also named as a victim. ShinyHunters told reporters they gained entry to Betterment's internal systems by vishing for Okta SSO codes. This consistent methodology across different industries suggests a highly organized and repeatable attack pattern.
Companies struggle with incident response
Response strategies vary across the affected organizations. Figure Technology Solutions acted quickly by hiring a forensic firm to investigate the scope of their 1-million-record breach. They are currently offering free credit monitoring to all impacted individuals and implementing new security training for staff.
Other companies, like Mercer and Beacon Pointe, have remained silent despite the public threats. This "radio silence" often indicates ongoing internal investigations or active negotiations with the extortionists. Cybersecurity experts generally advise against paying ransoms, as it does not guarantee the deletion of stolen data.
The recurring theme in these breaches is the failure of human-centric security. Even with robust technical firewalls, a single employee's mistake can compromise an entire corporate network. ShinyHunters exploits the trust between employees and their internal IT departments to bypass the most expensive security software on the market.
How to protect personal data
As these breaches continue to surface, consumers should assume their data may be at risk. The combination of PII from CarGurus and financial data from firms like Betterment allows hackers to build comprehensive profiles for identity theft. Users of the affected services should monitor their accounts for suspicious activity immediately.
Security professionals recommend several steps for individuals impacted by these leaks:
- Enable hardware-based MFA (like YubiKeys) which are resistant to vishing.
- Place a security freeze on credit reports with Equifax, Experian, and TransUnion.
- Change passwords for all accounts that share credentials with the breached services.
- Be wary of unsolicited phone calls or texts asking for login verification codes.
The ShinyHunters campaign shows no signs of slowing down. As long as voice phishing remains an effective way to harvest SSO codes, major corporations will remain vulnerable. The February 2026 deadline for CarGurus suggests that this group is prepared for a long-term extortion campaign against the automotive giant.
Related Articles
Your Email Is Likely on the Dark Web. Here's What to Do.
Your email on the dark web likely came from a data breach. Don't panic; it's common. Change passwords, enable two-factor authentication, and monitor accounts. Use email aliases to prevent future exposure.
23andMe Data Breach Settlement Deadline Is February 17, 2026
If affected by 23andMe's 2023 data breach, you can claim compensation until Feb. 17, 2026. Payouts range up to $10,000 for severe cases or $165 for leaked health data, plus identity monitoring. File online via the settlement website.
Stay in the loop
Get the best AI-curated news delivered to your inbox. No spam, unsubscribe anytime.
