ShinyHunters Leaks 12.4 Million CarGurus Records in Massive Data Breach
The ShinyHunters extortion group has released over 12 million records allegedly stolen from CarGurus, a U.S.-based digital automotive marketplace serving millions across the U.S., Canada, and the U.K. The breach, disclosed on February 21, involved a 6.1GB archive containing sensitive user data, including:
- Email and IP addresses
- Full names and phone numbers
- Physical addresses
- User account IDs
- Finance pre-qualification and application details
- Dealer account information
- Subscription data
HaveIBeenPwned (HIBP) verified and added the dataset to its database, confirming that 3.7 million records were new, while the remaining 70% overlapped with prior breaches. Though CarGurus has not officially acknowledged the incident, the leaked data is now publicly accessible, raising concerns about phishing and fraud risks for affected users.
ShinyHunters, known for aggressive extortion tactics, has recently targeted multiple high-profile companies, including Odido, Optimizely, Figure, Canada Goose, Panera Bread, Match Group, and SoundCloud. The group typically gains access through social engineering, such as voice phishing, tricking employees into exposing credentials or installing malicious OAuth apps that grant API-level access to platforms like Salesforce, Okta, and Microsoft 365.
This breach underscores the growing threat of data extortion groups exploiting corporate systems to harvest and leak sensitive customer information.
CarGurus TPRM report: https://www.rankiteo.com/company/cargurus
Match Group TPRM report: https://www.rankiteo.com/company/matchgroup
"id": "matcar1771957470",
"linkid": "matchgroup, cargurus",
"type": "Breach",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Millions (U.S., Canada, U.K.)',
'industry': 'Digital Automotive Marketplace',
'location': 'U.S.',
'name': 'CarGurus',
'type': 'Company'}],
'attack_vector': 'Social Engineering (Voice Phishing, Malicious OAuth Apps)',
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '12.4 million',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Email addresses',
'IP addresses',
'Full names',
'Phone numbers',
'Physical addresses',
'User account IDs',
'Finance pre-qualification '
'details',
'Dealer account information',
'Subscription data']},
'date_detected': '2024-02-21',
'date_publicly_disclosed': '2024-02-21',
'description': 'The ShinyHunters extortion group has released over 12 million '
'records allegedly stolen from CarGurus, a U.S.-based digital '
'automotive marketplace. The breach involved a 6.1GB archive '
'containing sensitive user data, including email and IP '
'addresses, full names, phone numbers, physical addresses, '
'user account IDs, finance pre-qualification details, dealer '
'account information, and subscription data. HaveIBeenPwned '
'verified and added the dataset to its database, confirming '
'3.7 million new records. CarGurus has not officially '
'acknowledged the incident, and the leaked data is now '
'publicly accessible, raising concerns about phishing and '
'fraud risks.',
'impact': {'brand_reputation_impact': 'High',
'data_compromised': '12.4 million records',
'identity_theft_risk': 'High'},
'initial_access_broker': {'entry_point': 'Social Engineering (Voice Phishing, '
'Malicious OAuth Apps)'},
'motivation': 'Extortion, Data Theft',
'references': [{'source': 'HaveIBeenPwned (HIBP)'}],
'threat_actor': 'ShinyHunters',
'title': 'ShinyHunters Leaks 12.4 Million CarGurus Records in Massive Data '
'Breach',
'type': 'Data Breach'}