CarGurus allegedly hit in data breach, claiming 1.7 million records stolen

On the Dash:

• Third-party marketplace breaches can expose corporate and potentially sensitive operational data.
• Voice phishing targeting SSO systems remains an active threat vector for automotive-related platforms.
• Dealers should reassess vendor cybersecurity protocols and employee authentication safeguards.

CarGurus purportedly suffered a data breach involving 1.7 million corporate records, according to ShinyHunters, a cybercrime crew that posted the online vehicle marketplace to its leak site on Wednesday.

“This is a final warning to reach out by 20 Feb 2026 before we leak along with several annoying (digital) problems that’ll come your way,” ShinyHunters wrote in its announcement shared on social media. The group claimed the compromised files included personally identifiable information and “other internal corporate data.”

According to ShinyHunters, the breach occurred on Feb. 13 and was part of a broader code-stealing spree. The group said it used voice phishing to obtain single-sign-on codes from users of Okta, Microsoft, and Google services.

Sign up for CBT News’ daily newsletter and get the latest industry stories delivered straight to your inbox. 

The Wednesday post marked one of 15 breaches claimed this year by ShinyHunters and Scattered Lapsus$ Hunters. The group also listed investment advisory firms Mercer Advisors and Beacon Pointe Advisors on Sunday, setting a Wednesday deadline to negotiate and threatening to leak 5 million records from Mercer and 100,000 from Beacon Pointe. Neither firm has posted a breach notification or responded to requests for comment.

Blockchain lending firm Figure Technology Solutions was also listed on the leak site last week. Have I Been Pwned reported that nearly 1 million customer records were stolen. A Figure spokesperson said “an employee was socially engineered,” allowing an actor to download a limited number of files. The company said it blocked the activity, retained a forensic firm, is adding safeguards and training, and is offering free credit monitoring to affected individuals.

Other recent victims cited by the group include Betterment, Match Group, Panera Bread, and car-buying and review sites CarMax and Edmunds.