119/69 Friday, February 27, 2026
The cybercrime group ShinyHunters has published personal data from more than 12.4 million user accounts belonging to CarGurus after a failed extortion attempt. CarGurus is a U.S.-based online automotive marketplace and research platform operating in the United States, Canada, and the United Kingdom. The platform attracts approximately 40 million monthly visitors and is publicly traded, making it a major player in the online car sales industry.
The incident occurred in February 2026 and resulted in the exposure of personal data, including email addresses, user account IDs, auto finance application details, dealer information, full names, phone numbers, physical addresses, IP addresses, and loan approval results. On February 21, ShinyHunters released a 6.1GB compressed archive containing more than 12.4 million records. The data breach monitoring service Have I Been Pwned (HIBP) has since added CarGurus to its database of compromised services.
The leaked data includes email addresses, full names, addresses, IP addresses, and phone numbers, creating significant risks for affected users. These risks include highly convincing phishing and social engineering attacks leveraging real personal data, identity theft, financial fraud-particularly where loan application data is involved-and account takeover attempts, especially if users reused passwords across multiple platforms. ShinyHunters has previously targeted several major organizations, including Odido, Figure, Canada Goose, and SoundCloud. The group is known for using social engineering tactics-particularly voice phishing (vishing)-to steal credentials and gain access to SaaS platforms such as Salesforce, Okta, and Microsoft 365.
