- CarGurus Reportedly Hit by ShinyHunters Vishing Attacks
- Hackers claim to have stolen 1.7 million records
- CarGurus remains silent for the moment
Online auto marketplace CarGurus is reportedly the latest company to fall prey to ShinyHunters vishing attacks.
The notorious hacker collective has released a new note on its data leak site warning CarGurus to act quickly or publish its sensitive data on the dark web.
“This is a final warning to be given between now and February 20, 2026 before a leak and several annoying (digital) issues arise,” ShinyHunters apparently wrote in its announcement. The group claims to have stolen personally identifiable information (PII) and “other internal company data,” totaling 1.7 million records.
Another victim
CarGurus has not yet commented on the news and its website is silent about a possible violation.
If these claims are true, then CarGurus will be the 15th ShinyHunters victim recently similarly breached – with a phishing phone call leading to the compromise of an Okta, Entra or Google SSO dashboard.
Experts from Google and Mandiant recently explained how ShinyHunters was able to hack so many organizations so quickly, by deploying a highly effective combination of vishing and custom infrastructure.
It all starts with a phone call in which ShinyHunters pose as IT staff and technical agents. They call employees in different roles and tell them their MFA settings need to be updated.
At the same time, they use custom infrastructure: they have created highly modular and customizable phishing landing pages that they can modify in real time. Therefore, if the victim uses Google SSO, they will receive the appropriate landing page, which can then transform depending on the type of MFA used by the employee in question.
When the attacker obtains the login credentials and MFA codes, he logs into the Okta, Entra, or Google SSO dashboard, through which he can choose the type of data to steal: Salesforce, Microsoft 365, SharePoint, DocuSign, Dropbox, or a myriad of others. ShinyHunters apparently prefer Salesforce, although they won’t pass up another opportunity either.
Finally, after exfiltrating all the stolen data, they will add a sample to their data leak page and contact the victim to try to make them pay.
Some of the companies victimized by this attack include Mercer Advisors, Beacon Pointe Advisors, Canada Goose, Figure Technology Solutions, Betterment, Match Group, Panera Bread, Carvana and Edmunds.
Via The register
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
