- CarGurus reportedly hit by ShinyHunter’s vishing attack
- Hackers claim to have stolen 1.7 million records
- CarGurus is silent until now
Online car marketplace CarGurus is reportedly the latest company to fall victim to ShinyHunters’ vishing attack.
The infamous hacking collective posted a new note on its data leak page, warning CarGurus to act fast or have their sensitive data put on the dark web.
“This is a final warning to reach out before February 20, 2026 before we leak along with more annoying (digital) issues coming your way,” ShinyHunters apparently wrote in its announcement. The group says it stole personally identifiable information (PII) and “other internal company data,” totaling 1.7 million records.
Another victim
CarGurus has yet to comment on the news, and its website says nothing about a potential breach.
If the allegations are true, then CarGurus will be the 15th ShinyHunters victim to be similarly breached recently – with a phishing phone call leading to the compromise of an Okta, Entra or Google SSO dashboard.
Experts from Google and Mandiant recently explained how ShinyHunters was able to breach so many organizations so quickly – by implementing a highly effective combination of vishing and custom infrastructure.
It all starts with a phone call where ShinyHunters impersonate IT staff and technicians. They call employees in various positions and tell them that their MFA settings need to be updated.
At the same time, they use custom infrastructure: they have created highly modular, customizable phishing landing pages that they can adjust in real time. Therefore, if the victim uses Google SSO, they will get the appropriate landing page, which can then be transformed depending on the type of MFA that employee is using.
Once the attacker gets the login credentials and MFA codes, they log into either the Okta, Entra, or Google SSO dashboard, through which they can pick and choose what kind of data they want to steal: Salesforce, Microsoft 365, SharePoint, DocuSign, Dropbox, or a myriad of others. ShinyHunters apparently prefer Salesforce, although they won’t miss another opportunity either.
Finally, after exfiltrating all the stolen data, they will add a sample to their data leak page and contact the victim in an attempt to make them pay.
Some of the companies that fell victim to this attack include Mercer Advisors, Beacon Pointe Advisors, Canada Goose, Figure Technology Solutions, Betterment, Match Group, Panera Bread, Carvana, and Edmunds.
Via The register
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
