ShinyHunters Data-Theft and Extortion Targeting CarGurus and Wynn Resorts
ShinyHunters is linked to multiple large-scale data-theft and extortion operations, including a breach at automotive marketplace CarGurus in February 2026. After an attempted extortion, the stolen CarGurus data was published publicly and reportedly included 12M+ email addresses across multiple files, with additional exposed information such as names, phone numbers, physical and IP addresses, user account ID mappings, dealer account/subscription details, and auto finance pre-qualification application data (including application outcomes).
ShinyHunters also claimed to have stolen 800,000+ records from Wynn Resorts and demanded 22.34 Bitcoin (~$1.5M) to prevent publication, setting a deadline and threatening further “digital problems” if unpaid. Data samples reviewed by a media outlet reportedly contained employee PII including Social Security numbers, names, emails, phone numbers, job details, salaries, start dates, and birthdays; the group alleged initial access occurred in September 2025 via an Oracle PeopleSoft vulnerability combined with an employee’s credentials, and it did not clarify whether the credentials were obtained through social engineering or insider access-for-hire.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
ShinyHunters sets Wynn Resorts ransom and leak deadline
ShinyHunters demanded that Wynn Resorts make contact by February 23, 2026, threatening to leak the stolen data and cause additional digital disruption if its demands were not met. The group also advertised a starting sale price of 22.34 bitcoin, about $1.5 million, for the data.
ShinyHunters lists Wynn Resorts on extortion site
By February 20, 2026, Wynn Resorts appeared on ShinyHunters' extortion site, where the group claimed it had stolen more than 800,000 employee records containing Social Security numbers, salary data, contact details, and other sensitive personal information. The Register reviewed sample data allegedly tied to the breach.
ShinyHunters attempts to extort CarGurus and later releases stolen data
After the CarGurus intrusion, ShinyHunters attempted to extort the company. When the extortion attempt failed, the stolen data was publicly released.
CarGurus suffers data breach attributed to ShinyHunters
In February 2026, automotive marketplace CarGurus experienced a data breach attributed to ShinyHunters. The stolen data reportedly included more than 12 million email addresses along with finance application, dealer account, subscription, and other personal and account-related information.
ShinyHunters allegedly gains access to Wynn Resorts via Oracle PeopleSoft
A ShinyHunters spokesperson claimed the group obtained initial access to Wynn Resorts in September 2025 through an Oracle PeopleSoft vulnerability using an employee's credentials. The report did not clarify whether the credentials were acquired through social engineering or purchased from an insider.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CarGurus Customer Data Leak Attributed to ShinyHunters
**CarGurus** customer data was published online in a leak attributed to the **ShinyHunters** extortion group, exposing roughly **12.4–12.5 million** accounts. A **6.1GB** archive was posted and subsequently ingested by *Have I Been Pwned* (HIBP) after validation checks; HIBP reported the dataset includes **email addresses, IP addresses, full names, phone numbers, physical addresses, user account IDs**, and additional sensitive business/transactional fields such as **finance pre-qualification application data, finance application outcomes, dealer account details, subscription information**, and account ID mappings. HIBP indicated about **70%** of the data had appeared in prior breaches already tracked by the service, implying roughly **3.7 million** records may be newly exposed; the public availability of the dataset increases risk of **targeted phishing and fraud** using the enriched identity and financing-related attributes. CarGurus had not publicly confirmed the incident at the time of reporting and did not respond to media requests, while HIBP and reporting attributed the breach to ShinyHunters, a group known for **social engineering/vishing-style** intrusions and subsequent extortion/leak tactics. Separate ShinyHunters-linked incidents reported in the same period included **Wynn Resorts** confirming theft of employee data following an extortion threat, and **Optimizely** disclosing a breach tied to a **voice-phishing** attack that exposed limited business contact information; these are distinct events and do not change the core CarGurus exposure but reinforce the group’s ongoing operational tempo and reliance on social engineering to obtain access and data for leverage.
Mar 27, 2026
ShinyHunters-Linked Extortion and Data Leak Claims Targeting Automotive Retailers
Data allegedly sourced from US automotive retailer **CarMax** was published online after a **failed extortion attempt**, according to a Have I Been Pwned breach entry. The exposed dataset reportedly includes **431,000 unique email addresses** along with **names, phone numbers, and physical addresses**, indicating a PII-heavy leak that could enable targeted phishing and identity-focused fraud. Separately, **CarGurus** was reported as being purportedly breached by the **ShinyHunters** hacking operation, with claims of **1.7 million corporate files** stolen and an extortion deadline tied to negotiations. The intrusion was alleged to have occurred via **single sign-on (SSO) codes obtained through voice phishing**, consistent with ShinyHunters’ prior claims of compromising other organizations using SSO-code access; CarGurus has been positioned as another extortion-driven theft where internal records and PII may be at risk of exposure.
Mar 21, 2026
ShinyHunters Claims CarGurus and Carnival Customer Data Breaches
Car-shopping platform **CarGurus** disclosed a data breach affecting **12.4 million accounts**, after the **ShinyHunters** extortion group claimed it had stolen customer records and offered a dataset for sale. Reporting indicated the exposed information included account and profile data tied to millions of users, while earlier claims from the group had put the haul at roughly **1.7 million records**, highlighting uncertainty around the exact scope as public reporting evolved. A separate incident hit **Carnival Corporation**, where a dataset flagged by **Have I Been Pwned** contained **8.7 million records** and **7.5 million unique email addresses** allegedly linked to **Holland America Line’s Mariner Society** loyalty program. The data reportedly included names, dates of birth, gender, and membership-status details, raising fraud and phishing concerns. Carnival said it was investigating what it described as a phishing attack involving a single user account, but ShinyHunters claimed responsibility and alleged it also stole terabytes of internal corporate data, suggesting the compromise may extend beyond a limited account breach.
May 25, 2026