February 2026: ShinyHunters Attacks Hit Odido, CarGurus, Panera Bread, and Figure

February 2026 brought a fresh wave of data breach disclosures, and the pattern was hard to miss. Extortion-driven attacks continued to spread across consumer brands, ecommerce platforms, telecom providers, and even government systems, often by exploiting identity access, support tools, or third-party relationships.

Several of the month’s most notable incidents were linked to alleged ShinyHunters activity, while others exposed how a single set of stolen credentials or a compromised subcontractor can put millions of records at risk.

Odido Breach Leaked 6.2 Million Customers

One of the month’s most serious disclosures involved Odido, where ShinyHunters reportedly posted stolen customer data online for several days. The group allegedly attempted to extort the company and threatened to release “1 million lines” of data per day unless a ransom was paid.

Odido said the breach affected 6.2 million current and former customers. The exposed data reportedly included names, addresses, phone numbers, dates of birth, bank account numbers, and ID numbers. Attackers, however, claimed the total dataset covered more than 8 million people.

What made this case especially concerning was the reported presence of internal customer service notes in the leaked data. According to reporting on the exposed records, the second batch included free-text notes referencing stalking, threats, domestic violence, and protected addresses. That raised the risk from financial fraud to possible real-world safety consequences.

Security updates on Odido website

ManoMano Support Portal Compromise Allegedly Affected Roughly 38 Million People

ManoMano also faced a major breach tied to its customer support environment. Although the incident took place in January 2026, customers were notified in late February, bringing the full scope into clearer view.

The company described the incident as the result of a compromised customer service subcontractor. Reports suggested the intrusion path involved a support portal consistent with a Zendesk environment used for customer interactions. ManoMano’s customer notice said the exposed data included customer names, email addresses, phone numbers, and customer service conversations.

Separately, a threat actor known as “Indra” claimed on BreachForums to have stolen around 43GB of data. The alleged dataset included information linked to 37.8 million user accounts, more than 900,000 service tickets, and over 13,000 attachments.

The scale of the incident stretched across the five European markets where ManoMano operates: France, Germany, Italy, Spain, and the United Kingdom. The case is another reminder that support platforms and outsourced service relationships can become high-value entry points for attackers.

ShinyHunters’ Alleged CarGurus Leak Posted 12.4 Million Records, 6.1GB Archive

A dataset allegedly stolen from CarGurus was also linked to ShinyHunters during the month. Reports described the leak as containing 12.4 million records, with roughly 70% said to be newly exposed data.

The leaked archive was reportedly 6.1GB in size, though the initial access method has not been clearly identified. The exposed information was described as a mix of personal and financial data, including physical addresses, phone numbers, and financing-related details.

That combination makes the breach particularly useful for fraud and impersonation attempts. Attackers could use the data to craft convincing messages that appear to come from dealerships, lenders, or customer support channels. Because CarGurus operates in the United States, Canada, and the United Kingdom, the potential impact extends across multiple major markets.

Threat actor card of ShinyHunters

French Bank Account Database Was Accessed Using Stolen Official Credentials

On February 18, 2026, French authorities disclosed that a hacker had accessed a national bank account database containing information tied to 1.2 million accounts.

According to the ministry, the unauthorized access began near the end of January and relied on stolen credentials belonging to an official. The accessed data reportedly included bank account numbers, account holder names and addresses, and in some cases tax numbers.

Officials said the attacker could not view balances or carry out transactions through the database. They also stated that measures were taken to block the threat actor and prevent data removal after the activity was detected. Affected individuals were set to be notified, while French authorities also filed a criminal complaint and informed CNIL.

Panera Bread Confirmed Breach; Researchers Estimated 5.1 Million Unique People

Panera Bread also confirmed a cybersecurity incident after ShinyHunters claimed to have stolen customer records and listed the company on its leak site. The threat actor initially claimed more than 14 million customer records, but later analysis suggested the affected dataset corresponded to roughly 5.1 million unique individuals.

The exposed data was described as customer contact information, including email addresses, names, phone numbers, and physical addresses. Panera said it contacted law enforcement and took steps to address the issue, though it did not disclose technical details about how the breach occurred.

ShinyHunters also claimed the intrusion involved Microsoft Entra single sign-on, but that detail remained unconfirmed by Panera. The group attempted extortion before publishing a 760MB archive of the data.

Overview of the Panera Breach data breach (Have I Been Pwned)

Figure Breach Exposed 967,200 Unique Emails, ShinyHunters Claimed Responsibility

Figure also confirmed a data breach in February 2026, though the company provided only limited detail at first. It said hackers had stolen a restricted number of files but did not specify the exact types of data involved or how many customers were affected.

Later analysis of the allegedly stolen data painted a clearer picture. Researchers found 967,200 unique email addresses connected to Figure customers, along with names, dates of birth, physical addresses, and phone numbers.

ShinyHunters claimed responsibility for the breach and reportedly published 2.5GB of data on its leak site. That fits the broader pattern seen across several February incidents, where public data exposure appeared to serve as pressure in extortion attempts.

Stay Ahead of Breach Fallout With SOCRadar Dark Web Monitoring

See exposed data earlier, track criminal chatter faster, and act before stolen information turns into targeted fraud.

When threat actors such as ShinyHunters publish or sell stolen data, the damage rarely ends with the initial breach disclosure. Customer records, internal notes, credentials, and contact details can continue circulating across Dark Web forums and leak channels long after the first headlines fade.

That is where SOCRadar Dark Web Monitoring adds value. It helps security teams detect exposed company data, monitor underground sources for emerging threats, and gain earlier visibility into leaked credentials, stolen records, and attacker discussions tied to their organization.

SOCRadar’s Dark Web Monitoring

With that visibility, teams can investigate faster, assess potential impact, and prioritize response actions before breach fallout expands into phishing campaigns, account takeover attempts, or follow-on extortion. For organizations trying to reduce the gap between exposure and action, Dark Web Monitoring provides a practical layer of early warning.