Cybercrime group ShinyHunters has allegedly stolen 1.7 million records from CarGurus, marking the latest in a string of breaches targeting major companies across multiple sectors.
The notorious cybercrime group ShinyHunters has allegedly stolen 1.7 million corporate records from online vehicle marketplace CarGurus, according to a post on the group's leak site on Wednesday. The digital extortionists gave the company until February 20, 2026, to negotiate before threatening to leak the data along with unspecified "annoying (digital) problems."
ShinyHunters claimed the compromised files included personally identifiable information and "other internal corporate data." The group has been particularly active in 2025, with Wednesday's post capping a string of 15 breaches claimed since the beginning of the year.
Recent Breach Targets
The cybercrime crew's recent victims span multiple industries:
- Investment firms: Mercer Advisors (5 million records threatened) and Beacon Pointe Advisors (100,000 records)
- Retail: Canada Goose (600,000 records, claimed to be historical data)
- Financial services: Figure Technology Solutions (nearly 1 million customers)
- Investment platform: Betterment (1.4 million users)
- Dating apps: Match Group properties including Hinge, Match.com, and OkCupid
- Food service: Panera Bread
- Automotive: Carvana and Edmunds
Attack Methods and Response
ShinyHunters has employed various tactics to gain access to corporate systems. In the case of Betterment, the group claimed to have used voice phishing to obtain Okta single sign-on codes. For Panera Bread, they reportedly compromised Microsoft Entra SSO credentials.
Figure Technology Solutions confirmed an employee was socially engineered, allowing an attacker to download files through their account. The company responded by blocking the activity, engaging a forensic firm, and offering free credit monitoring to affected individuals.
Canada Goose took a different approach, stating that the 600,000-record dump was from historical data and declining to specify how old the data was or how it was originally stolen.
Pattern of Activity
This latest breach follows a pattern of high-volume data thefts that ShinyHunters has been conducting since at least 2020. The group has previously targeted companies like Microsoft, Pixlr, and Tokopedia, often selling or leaking the stolen data on dark web forums.
What makes this recent wave particularly concerning is the breadth of targets across different sectors - from automotive marketplaces to investment firms to dating apps. This suggests the group is casting a wide net and exploiting vulnerabilities across various industries.
Industry Impact
The automotive sector appears to be a particular focus, with CarGurus joining Carvana and Edmunds as recent targets. This could have implications for consumer trust in online car shopping platforms and may prompt increased security investments across the industry.
For CarGurus specifically, the breach could potentially expose customer data, internal communications, and business strategies. The company has not yet responded to inquiries about the alleged breach, but given the February 20 deadline, they may be in active negotiations with the cybercriminals.
Security Implications
These breaches highlight the ongoing challenges companies face in protecting sensitive data. The use of social engineering to bypass SSO protections demonstrates that even with modern security measures in place, human vulnerability remains a significant attack vector.
Companies are increasingly being forced to balance user convenience with security, as single sign-on solutions that make life easier for employees can also provide a single point of failure if compromised. The frequency and scale of these breaches suggest that many organizations may need to reassess their security postures and incident response plans.
As the February 20 deadline approaches for CarGurus and the other targeted companies, the cybersecurity community will be watching to see whether these organizations choose to negotiate with the criminals or prepare for potential data leaks and associated digital disruptions.
The Register has reached out to CarGurus and ShinyHunters for comment and will update this story with any responses received.
Comments
Please log in or register to join the discussion