- CarGurus Reportedly Hit by ShinyHunters Vishing Attacks
- Hackers claim to have stolen 1.7 million records
- CarGurus stays put for now
Online car marketplace CarGurus is reportedly the latest company to fall victim to ShinyHunters vishing attacks.
The notorious hacker collective posted a new note on its data breach site warning CarGurus to act quickly or post its sensitive data on the dark web.
“This is a final warning that must be sent by February 20, 2026 before various annoying (digital) issues are leaked to you,” ShinyHunters apparently wrote in their announcement. The group says it stole personally identifiable information (PII) and “other internal corporate data,” totaling 1.7 million records.
Another victim
CarGurus has not yet commented on the news and its website says nothing about possible infringement.
If the claims are true, then CarGurus will be the 15th ShinyHunters victim attacked in the same way recently: with a phishing phone call that compromised an Okta, Entra, or Google SSO panel.
Experts from Google and Mandiant recently explained how ShinyHunters was able to penetrate so many organizations so quickly, by deploying a highly effective combination of vishing and custom infrastructure.
It all starts with a phone call in which ShinyHunters poses as IT staff and technology operators. They call employees in different positions and tell them their MFA settings need to be updated.
At the same time, they use a customized infrastructure: they have created highly modular and customizable phishing landing pages that they can modify in real time. Therefore, if the victim uses Google SSO, they will be provided with the appropriate landing page, which can then be transformed, depending on the type of MFA that particular employee uses.
When the attacker obtains the login credentials and MFA codes, he logs into the Okta, Entra or Google SSO panel, through which he can choose what type of data to steal: Salesforce, Microsoft 365, SharePoint, DocuSign, Dropbox or many others. ShinyHunters apparently prefers Salesforce, although they won’t pass up another opportunity either.
Finally, after extracting all the stolen data, they will add a sample to their data leak page and contact the victim to try to get them to pay.
Some of the companies that were victims of this attack include Mercer Advisors, Beacon Pointe Advisors, Canada Goose, Figure Technology Solutions, Betterment, Match Group, Panera Bread, Carvana, and Edmunds.
Through The Registry
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
