Online vehicle marketplace CarGurus has been listed on the ShinyHunters leak site, with the cybercrime crew claiming theft of 1.7 million corporate records and threatening to publish the data unless a ransom deadline of 20 February 2026 is met. According to the gang, the intrusion occurred on 13 February 2026 and forms part of a wider voice phishing campaign targeting single sign-on (SSO) credentials across Okta, Microsoft, and Google services.

What Happened

ShinyHunters posted CarGurus to its dedicated leak portal on Wednesday, accompanied by what the gang described as a "final warning" to negotiate before publication. The post threatens to release the stolen archive alongside additional "annoying (digital) problems" if CarGurus does not respond by the cutoff date. CarGurus has not yet publicly confirmed or denied the incident and did not respond to initial press inquiries.

The CarGurus listing is the latest entry in a rapid-fire string of at least 15 breaches claimed since the start of 2026 by ShinyHunters and the affiliated Scattered Lapsus$ Hunters cluster. Recent victims posted to the same leak site include investment advisory firms Mercer Advisors (5 million records threatened) and Beacon Pointe Advisors (100,000 records), blockchain lender Figure Technology Solutions, and apparel brand Canada Goose, the latter of which characterised its leaked dataset as historical.

What Was Taken

ShinyHunters claims to have exfiltrated approximately 1.7 million corporate records from CarGurus. The gang asserts the haul includes personally identifiable information (PII) along with "other internal corporate data," though it has not published file samples or detailed schemas at the time of writing. Given CarGurus operates a marketplace connecting consumers with dealerships, exposed records may plausibly include staff and dealer-side identifiers, contact details, and internal business documentation.

The full sensitivity and scope of the dataset cannot be independently verified until either CarGurus issues a notification or the data is dumped publicly. Comparable ShinyHunters incidents this quarter, such as the Figure Technology Solutions breach, resulted in roughly 1 million customer records being indexed by Have I Been Pwned.

Why It Matters

The CarGurus incident underscores how voice phishing has overtaken traditional credential stuffing as the access vector of choice for high-volume extortion crews. ShinyHunters is now operating on a near-weekly cadence, packaging social engineering, SSO abuse, and rapid leak-site extortion into a repeatable assembly line. The diversity of victims, ranging from automotive marketplaces and apparel brands to wealth managers and crypto lenders, indicates the crew is opportunistic rather than vertical-specific.

For defenders, this means industry-based threat modelling is insufficient. Any organisation relying on Okta, Microsoft Entra, or Google Workspace for federated identity is in scope, and the short window between intrusion (13 February) and public extortion (18 February) leaves limited room for traditional incident response cycles.

The Attack Technique

ShinyHunters has explicitly attributed the CarGurus compromise to its ongoing vishing campaign, in which operators phone employees and impersonate IT or help desk staff to extract one-time SSO codes for Okta, Microsoft, and Google identity platforms. Once a valid session is established, the attackers pivot into connected SaaS tenants, code repositories, and corporate file stores to bulk-download accessible data.

The pattern mirrors disclosures from other recent victims. Figure Technology Solutions confirmed that "an employee was socially engineered, and that allowed an actor to download a limited number of files through their account." Betterment and other firms tied to the same campaign have described similar help desk impersonation flows. The technique sidesteps phishing-resistant controls only where MFA prompts can be socially coerced, making the human channel the weakest link.

What Organizations Should Do

1. Enforce phishing-resistant MFA (FIDO2 / WebAuthn / hardware keys) for all SSO logins and remove SMS, voice, and push-only fallback paths that vishing operators routinely exploit.
2. Re-train help desk and IT staff on caller verification procedures, including out-of-band callback to known numbers before resetting credentials, MFA factors, or session tokens.
3. Audit Okta, Microsoft Entra, and Google Workspace logs for anomalous session creation, impossible travel, and bulk download activity originating from newly enrolled devices since early February 2026.
4. Tighten OAuth and SaaS app authorisation: review third-party app grants, restrict token scopes, and monitor for newly created service principals or app registrations.
5. Deploy data loss prevention (DLP) rules on cloud file stores (SharePoint, Google Drive, OneDrive) to flag large outbound transfers and mass downloads from a single session.
6. Prepare a vishing-specific tabletop exercise and pre-drafted breach communications, given the compressed timeline ShinyHunters typically allows between intrusion and public extortion.

Sources: ShinyHunters claims it drove off with 1.7M CarGurus records