CarGurus Breach: Lunar’s View

On February 19, 2026, automotive marketplace CarGurus (cargurus.com) was listed in public reporting around a cybersecurity incident. Though the exact entry vector is still under investigation, the incident speaks to a bigger truth: long before most breaches are detected, infostealer‑harvested credentials circulate in the underground economy, quietly eroding the identity perimeter. 

Lunar’s telemetry around the cargurus.com domain suggests that valid corporate credentials for CarGurus had been exposed months prior to the reported incident. This establishes a “pre‑compromise” environment, in which access brokers and other threat actors acquire active credentials for high‑value applications like Single Sign-On (SSO) long before malicious activity hits internal logs.

Executive Snapshot 

• Observation window: September 2025 
• Observed malware family: X‑Files infostealer 
• Distinct credential exposures linked to cargurus.com: ~1 
• Impacted endpoint types: Windows (corporate/personal mix)
• Exposed service category: Single Sign‑On (SSO) 

While Lunar only detected one credential set, the fact that it was SSO amplifies its importance. A single exposed SSO credential can pave access to multiple internal and SaaS applications, turning a “small” exposure into a potentially wide attack surface.

What Lunar Saw Before the CarGurus Incident 

In September 2025, Lunar noticed X‑Files infostealer activity using cargurus.com linked credentials. The data was obtained from a Windows endpoint containing browser stored passwords, session cookies and autofill data connected to a corporate SSO environment.

Since SSO acts as a gateway to critical applications, including internal dashboards, CRM systems, customer‑support tools, and analytic platforms, a compromised SSO credential is far more dangerous than a single account takeover (ATO) attempt. In environments where role‑based access and device trust are less consistently enforced, it can let an attacker spread laterally between systems with a single login.

The gap between the September 2025 exposure and the February 2026 incident shows how stolen credentials remain dormant for months. During that time, logs can be exchanged, mixed, or resold between the original infostealer operator, an Initial Access Broker (IAB), and attackers looking for a foothold in a particular industry or brand.

The Infostealer Lifecycle and Valid Accounts 

Infostealers like X‑Files are commodity malware families designed to exfiltrate whatever a user’s browser knows, including:

• Saved usernames and passwords 
• Session cookies and tokens 
• Autofill information, such as email address names and internal URLs 

X-files is deployed through malicious downloads, cracked software, or weaponized documents, after which it quietly extracts data from infected Windows endpoints. The “logs” it creates are then uploaded to an operator’s infrastructure and prepared for sale or distribution.

From a threat-intelligence perspective, these logs align with MITRE ATT&CK method T1078 (Valid Accounts). Instead of exploiting a vulnerability, an adversary just logs in with valid credentials obtained from underground markets. When the exposed account is linked with SSO, the attacker unlocks many downstream services.

For security professionals, this creates a visibility gap. Internal tools might never detect when the credentials were stolen. All they see is a valid login to a sanctioned SSO portal, making early detection extremely difficult. 

A Plausible Attack Pattern

Lunar does not claim that the specific X-Files exposure observed in September 2025 was in fact put to use in the February 2026 CarGurus incident. However, the activity follows a familiar pattern in identity-based attacks:

1. Infection: A user inadvertently installs the X‑Files infostealer on a corporate or personal Windows device, for example through a cracked application, fake installer, or phishing email.
2. Exfiltration: X‑Files retrieves all browser‑stored credentials and cookies, including those connected to an organization’s SSO portal, and exfiltrates them to the malware operator’s infrastructure.
3. Liquidity: The data is then packaged into “logs” and sold on underground markets, where Initial Access Brokers buy and catalogue them, flagging entries by domain and service type.
4. Leverage: A threat actor buys the logs and uses the valid SSO credentials to authenticate into the enterprise environment, zeroing in on accounts that don’t support a strong, hardware‑based MFA framework. From there, they can explore, escalate privileges, or possibly exfiltrate data. 

CarGurus is not alone in this cycle. It shows how commodity malware has weaponized initial access, transforming infostealer output into a liquid asset that can be weaponized even months after the original infection.

The Human Factor: Shadow IT and Personal Devices 

The exposures observed by Lunar reflect both corporate and personal Windows endpoints, highlighting a familiar issue that CISOs deal with: the blurred line between work and personal computing. 

Employees frequently use corporate SSO applications from their laptop, shared home PC, and unmanaged devices. These endpoints often lack enterprise-grade controls such as managed EDR, tight configuration baselines, and regular patching. But their browsers still store corporate credentials and session cookies.

So if a family member downloads risky software or visits a malicious site on such a device, an infostealer infection can compromise corporate SSO credentials with the same ease as personal logins. Although theft occurs from outside the monitored area, the damage is felt within corporate production systems and SaaS platforms.

Defensive Takeaways: Shrinking the Pre‑Breach Window

The CarGurus incident highlights how pre‑breach credential exposure can set the stage for later compromise. And although the X‑Files activity in question has not been shown to be the root cause of the February 2026 event, it remains a high‑risk status that permeates many enterprise structures. The following measures should be considered by security teams to help shrink the pre-breach window:

• Use phishing-resistant MFA: Avoid SMS and basic push notifications, particularly for SSO and highly‑privileged accounts. Hardware security keys and modern phishing-prevention methods will significantly reduce the value of stolen passwords and many session-replay attempts.
• Continuously monitor for exposed credentials: Treat any appearance of corporate credentials in infostealer logs as an active incident signal. Lunar and similar threat‑intelligence platforms are useful for identifying exposed accounts in near real-time, allowing quick password reset, token revocation and targeted investigation.
• Apply “managed device only” policy for sensitive SSO access: Limit access to SSO apps to devices that meet corporate security baselines. If needed, implement tougher conditional access policies and more powerful monitoring of unmanaged endpoints. 

By marrying strong identity controls to external visibility into pre‑breach credential exposure, organizations can shorten the dwell time between theft and use, turning infostealer‑driven access from a silent breach enabler to a manageable and observable risk.

Disclaimer 

This report is based on telemetry observed by Lunar and publicly available information. The findings presented are provided for informational purposes only. Lunar does not claim direct attribution, nor does it assert that the observed credential exposures were the definitive cause of the reported security incident. This analysis represents a correlation of temporal data points and does not constitute a “smoking gun” or identify “patient zero.”