CarGurus allegedly suffered a data breach with 1.7 million corporate records stolen, according to a notorious cybercrime crew that posted the online vehicle marketplace on its leak site on Wednesday.
"This is a final warning to reach out by 20 Feb 2026 before we leak along with several annoying (digital) problems that'll come your way," ShinyHunters wrote in its announcement, seen by The Register and shared on social media. The digital crooks claimed the compromised files included personally identifiable information and "other internal corporate data."
CarGurus did not immediately respond to The Register's inquiries. We will update this story when we hear back from the company.
According to ShinyHunters, the breach occurred on February 13, and it was part of the gang’s code stealing spree in which they used voice phishing to obtain single-sign-on codes from users of Okta, Microsoft, and Google services.
The Wednesday posts cap a string of 15 breaches claimed by ShinyHunters and Scattered Lapsus$ Hunters since the beginning of the year, including penetrating two investment advisory firms, Mercer Advisors and Beacon Pointe Advisors, listed on Sunday.
The extortionists set a Wednesday deadline for both companies to negotiate and threatened to leak 5 million records from Mercer and 100,000 from Beacon Pointe. Neither firm has posted a breach notification, and they did not respond to The Register's requests for comment.
At least one of the companies allegedly breached by ShinyHunters and posted to its leak site in February has said the compromise is from an old raid. On Monday, Canada Goose told us that it was "aware that a historical dataset relating to past customer transactions has recently been published online."
The down-filled jacket purveyor, however, declined to say how old the data is or how it was originally stolen.
Blockchain lending firm Figure Technology Solutions was also listed on ShinyHunters' leak site last week, and according to Have I Been Pwned, the criminals stole nearly 1 million customers' records.
A Figure spokesperson told us that "an employee was socially engineered, and that allowed an actor to download a limited number of files through their account."
- Canada Goose ruffles feathers over 600K record dump, says leak is old news
- Betterment breach may expose 1.4M users after social engineering attack
- ShinyHunters swipes right on 10M records in alleged dating app data grab
- Let them eat sourdough: ShinyHunters claims Panera Bread as stolen credentials victim
"We acted quickly to block the activity and retained a forensic firm to investigate what files were affected," the spokesperson's statement, sent via email, continued. "We understand the importance of these matters and are communicating with partners and those impacted as appropriate."
The company also said it is adding "safeguards and training" to boost its digital defenses, and offering free credit monitoring to all affected individuals.
Other recent victims include investment platform Betterment, Match Group (with dating sites Hinge, Match.com, and OkCupid compromised during the intrusion), Panera Bread, and car buying and review sites Carvana and Edmunds.
ShinyHunters previously told The Register that it gained access to Betterment's systems by voice phishing its Okta single sign-on (SSO) codes, and Panera via a Microsoft Entra SSO code. The criminals' spokesperson said the CarMax and Edmunds breaches were from earlier, unrelated intrusions. ®