- CarGurus reportedly hit by ShinyHunters vishing attacks
- Hackers claim to have stolen 1.7 million records
- CarGurus is staying queit for now
Online car marketplace CarGurus is allegedly the latest company to fall prey to ShinyHunters’ vishing attacks.
The notorious hacking collective posted a new note on its data leak site warning CarGurus to act quickly or have their sensitive data posted on the dark web.
“This is a final warning to reach out by 20 Feb 2026 before we leak along with several annoying (digital) problems that’ll come your way,” ShinyHunters apparently wrote in its announcement. The group says it stole personally identifiable information (PII) and “other internal corporate data,” totaling 1.7 million records.
Yet another victim
CarGurus has not yet commented on the news, and its website says nothing about a potential breach.
If the claims are true, then CarGurus will be the 15th ShinyHunters victim breached in the same manner recently – with a phishing phone call leading to the compromise of an Okta, Entra, or Google SSO dashboard.
Experts from Google and Mandiant recently explained how ShinyHunters were able to breach so many organizations so quickly – by deploying a highly effective combination of vishing and customized infrastructure.
It all starts with a phone call on which ShinyHunters impersonate IT staff and tech operatives. They call employees in different positions and tell them their MFA settings need updating.
At the same time, they use customized infrastructure: they have created highly modular, customizable phishing landing pages that they can tweak in real time. Therefore, if the victim uses Google SSO, they will be given the appropriate landing page, which can then transform, depending on the type of MFA that particular employee uses.
When the attacker obtains the login credentials and MFA codes, they log into either Okta, Entra, or Google SSO dashboard, through which they can pick and choose what kind of data to steal: Salesforce, Microsoft 365, SharePoint, DocuSign, Dropbox, or a myriad of others. ShinyHunters, apparently, prefer Salesforce, although they won’t pass up on a different opportunity, too.
Finally, after exfiltrating all of the stolen data, they will add a sample to their data leak page and reach out to the victim in an attempt to get them to pay.
Some of the companies that fell victim to this attack include Mercer Advisors, Beacon Pointe Advisors, Canada Goose, Figure Technology Solutions, Betterment, Match Group, Panera Bread, Carvana, and Edmunds.
Via The Register
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.