ShinyHunters leaked data from 12.4M CarGurus accounts, exposing personal information from the U.S.-based auto research and shopping platform.
The ShinyHunters group published personal data from over 12 million CarGurus accounts. CarGurus is a U.S.-based digital automotive marketplace that helps users research, compare, and connect with sellers of new and used vehicles. Operating in the U.S., Canada, and the U.K., its platform analyzes listings to identify good deals and provides tools for pricing, dealer reviews, and vehicle history. The site attracts around 40 million monthly visitors and is publicly traded, making it a major player in online car shopping and automotive research.
In February 2026, CarGurus suffered a data breach that exposed personal information, including emails, account IDs, finance applications, dealer info, names, phone numbers, addresses, IPs, and auto finance application results after a failed extortion attempt.
On February 21, the ShinyHunters group leaked a 6.1GB compressed archive containing over 12.4 million records.
The data breach monitoring service HaveIBeenPwned (HIBP) also added CarGurus to its database.
Compromised data includes:
- Email addresses
- Names
- Physical addresses
- IP addresses
- Phone numbers
The CarGurus data breach poses multiple risks for customers. With personal information such as names, email addresses, phone numbers, and account IDs exposed, individuals face a heightened risk of phishing and social engineering attacks, as cybercriminals can craft convincing messages using real data. The leak of finance application details and other sensitive records also opens the door to identity theft and financial fraud. Exposed account information increases the likelihood of account takeovers, especially if users reuse passwords across platforms. Additionally, the disclosure of physical addresses and IP data raises privacy concerns, potentially enabling targeted marketing, stalking, or other malicious activity. Overall, these risks highlight the importance of vigilance, strong password hygiene, and monitoring for suspicious activity following the breach.
The ShinyHunters extortion group has recently targeted major companies, leaking data when ransom demands fail. Victims include Odido, Figure, Canada Goose, and SoundCloud. The group primarily uses social engineering, especially voice phishing, to steal credentials and access SaaS platforms like Salesforce, Okta, and Microsoft 365.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ShinyHunters)
