ShinyHunters claims 1.7 million records stolen from CarGurus

A cybercriminal group calling itself ShinyHunters posted a claim that it exfiltrated roughly 1.7 million corporate records from online auto marketplace CarGurus and set a Feb. 20 deadline for the company to contact the group, according to reporting in The Register and other security outlets. The Register reproduced the group’s warning: “This is a final warning to reach out by 20 Feb 2026 before we leak along with several annoying (digital) problems that'll come your way.”

CarGurus did not immediately respond to reporters, and security outlets covering the claim said the company’s website contained no public notice of a breach. Attempts to contact the group through its leak site also did not produce an immediate reply, The Register reported.

Security reporting attributed to ShinyHunters and summarized by SCworld says the alleged intrusion began on Feb. 13 and was carried out using single sign-on codes obtained via voice phishing. SCworld summarized ShinyHunters’ claim that the Feb. 13 infiltration of CarGurus’ systems “enabled the theft of files with personally identifiable information and other internal company records.”

Independent forensic confirmation of the CarGurus claim was not available in the initial reports. TechRadar and other outlets described ShinyHunters’ broader modus operandi, citing Google and Mandiant experts who say the group pairs targeted voice-phishing calls with customized infrastructure to seize SSO access quickly. TechRadar summarized that the attack flow typically starts with a phone call in which attackers impersonate IT staff and tell employees to update multi-factor authentication, then capture login credentials and MFA codes, log into Okta, Microsoft Entra or Google SSO dashboards, and retrieve data from services such as Salesforce, Microsoft 365, SharePoint, DocuSign and Dropbox.

The CarGurus allegation fits a string of recent claims by ShinyHunters. SCworld and other outlets list a series of purported victims and record counts, including Mercer Advisors with 5 million records and Beacon Pointe Advisors with 100,000, while The Register cited Have I Been Pwned in reporting that Figure Technology Solutions’ incident involved nearly 1 million customer records. TechRadar noted that, if verified, CarGurus would be the 15th organization publicly named by the group in a similar campaign.

Not all entries on the group’s leak site have reflected newly discovered compromises, and some companies have provided clarifying statements. In The Register’s reporting, Figure said “an employee was socially engineered, and that allowed an actor to download a limited number of files through their account.” Canada Goose told reporters it was “aware that a historical dataset relating to past customer transactions has recently been published online,” but declined to say how old the data was or how it was originally stolen.

The alleged attack underscores growing concern in security circles about vishing aimed at SSO and cloud infrastructure. If the CarGurus claim is confirmed, the exposure of internal corporate files and personally identifiable information could trigger regulatory notification obligations and prompt incident response and customer outreach. For now, the claim remains unverified by CarGurus or an independent forensic firm, and reporters urged caution while tracking whether the company announces investigations, law enforcement involvement, or remediation steps.