The online automotive-marketplace CarGurus is the latest victim of the ShinyHunters campaign after the group published a 6.1 GB dataset of approximately 12.4 million account records on February 21.
Have I Been Pwned notes that about 70% of the exposed email addresses were previously seen in breach databases, though substantial fresh data appears to be included. Analysis by the breach monitoring site indicated that the archive included:
- Email addresses
- IP addresses
- Full names
- Phone numbers
- Physical addresses
- User IDs
- Finance application data
- Dealer account details
CarGurus has not publicly confirmed the breach or provided an official statement.
In a separate but related incident, Wynn Resorts confirmed that hackers accessed employee data after the company appeared on ShinyHunters’ data leak portal on February 20 when the hackers claimed to have stolen more than 800,000 records containing PII (including SSNs) and employee data along with an extortion threat demanding a ransom of 22.34 bitcoin (roughly $1.5 million).
Since then, the company stated that the alleged attackers claimed the stolen data had been deleted, and as of the latest reports, Wynn has not observed evidence that the information was publicly leaked or misused.
Although the method used to obtain the data has not been confirmed, ShinyHunters, a cybercrime group known for ransom-or-release tactics, has a history of carrying out advanced voice phishing campaigns that have led to breaches targeting more than 100 organizations, including Optimizely, Figure, Panera Bread, and Crunchbase.
Denis Calderone CRO & COO, Suzu Labs:
“ShinyHunters is basically operating what feels like an extortion assembly line. In the last few months we’ve seen over a dozen, high-profile organizations get hit: Panera, SoundCloud, Match Group, CarGurus, Wynn, and the list keeps growing.
“The speed and volume here is what should concern security leaders. They have obviously found something that works here, and it seems that just one well-placed One phone call is all it takes, and they are getting access to your every connected SaaS app in the environment.
“The Wynn situation is particularly interesting. They appear to have reached an agreement, and the listing was pulled. ShinyHunters has a track record of honoring these deals, AT&T being the most public example. So, paying apparently works, which makes this an agonizing decision for any executive sitting across the table from legal counsel right now. But none of us should want to fund what is clearly a thriving criminal enterprise. Every payment validates the model and funds the next wave of attacks.
“That’s why the conversation needs to stay focused on preventing the breach, not negotiating after it. Segment your data, lock down SSO with phishing-resistant MFA, and make your environment painful enough to navigate that these groups move on to the next target. Let’s face it, the era of hardware-backed authentication, is upon us.”
Rajeev Raghunarayan, Head of GTM, Averlon:
“What ShinyHunters keeps demonstrating is that you don’t need a sophisticated exploit when permissions do the work for you. Once attackers compromise a single set of credentials, SSO and broad SaaS integrations turn that one access point into keys to dozens of systems. The entry is simple. The blast radius is anything but.
“Organizations are still measuring risk by how hard it is to get in, when the more urgent question is how far an attacker can move once they’re there.”
ShinyHunters is one of those groups that I cannot stop writing about seeing as I wrote about them just yesterday. That’s bad for all of us as it is highly likely that we will hear more from them in the coming days and weeks ahead.
Like this:
Like Loading...
Related
This entry was posted on February 26, 2026 at 9:22 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
ShinyHunters Pwns Another Victim
The online automotive-marketplace CarGurus is the latest victim of the ShinyHunters campaign after the group published a 6.1 GB dataset of approximately 12.4 million account records on February 21.
Have I Been Pwned notes that about 70% of the exposed email addresses were previously seen in breach databases, though substantial fresh data appears to be included. Analysis by the breach monitoring site indicated that the archive included:
CarGurus has not publicly confirmed the breach or provided an official statement.
In a separate but related incident, Wynn Resorts confirmed that hackers accessed employee data after the company appeared on ShinyHunters’ data leak portal on February 20 when the hackers claimed to have stolen more than 800,000 records containing PII (including SSNs) and employee data along with an extortion threat demanding a ransom of 22.34 bitcoin (roughly $1.5 million).
Since then, the company stated that the alleged attackers claimed the stolen data had been deleted, and as of the latest reports, Wynn has not observed evidence that the information was publicly leaked or misused.
Although the method used to obtain the data has not been confirmed, ShinyHunters, a cybercrime group known for ransom-or-release tactics, has a history of carrying out advanced voice phishing campaigns that have led to breaches targeting more than 100 organizations, including Optimizely, Figure, Panera Bread, and Crunchbase.
Denis Calderone CRO & COO, Suzu Labs:
“ShinyHunters is basically operating what feels like an extortion assembly line. In the last few months we’ve seen over a dozen, high-profile organizations get hit: Panera, SoundCloud, Match Group, CarGurus, Wynn, and the list keeps growing.
“The speed and volume here is what should concern security leaders. They have obviously found something that works here, and it seems that just one well-placed One phone call is all it takes, and they are getting access to your every connected SaaS app in the environment.
“The Wynn situation is particularly interesting. They appear to have reached an agreement, and the listing was pulled. ShinyHunters has a track record of honoring these deals, AT&T being the most public example. So, paying apparently works, which makes this an agonizing decision for any executive sitting across the table from legal counsel right now. But none of us should want to fund what is clearly a thriving criminal enterprise. Every payment validates the model and funds the next wave of attacks.
“That’s why the conversation needs to stay focused on preventing the breach, not negotiating after it. Segment your data, lock down SSO with phishing-resistant MFA, and make your environment painful enough to navigate that these groups move on to the next target. Let’s face it, the era of hardware-backed authentication, is upon us.”
Rajeev Raghunarayan, Head of GTM, Averlon:
“What ShinyHunters keeps demonstrating is that you don’t need a sophisticated exploit when permissions do the work for you. Once attackers compromise a single set of credentials, SSO and broad SaaS integrations turn that one access point into keys to dozens of systems. The entry is simple. The blast radius is anything but.
“Organizations are still measuring risk by how hard it is to get in, when the more urgent question is how far an attacker can move once they’re there.”
ShinyHunters is one of those groups that I cannot stop writing about seeing as I wrote about them just yesterday. That’s bad for all of us as it is highly likely that we will hear more from them in the coming days and weeks ahead.
Share this:
Like this:
Related
This entry was posted on February 26, 2026 at 9:22 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.