CarGurus Customer Data Leak Attributed to ShinyHunters
CarGurus customer data was published online in a leak attributed to the ShinyHunters extortion group, exposing roughly 12.4–12.5 million accounts. A 6.1GB archive was posted and subsequently ingested by Have I Been Pwned (HIBP) after validation checks; HIBP reported the dataset includes email addresses, IP addresses, full names, phone numbers, physical addresses, user account IDs, and additional sensitive business/transactional fields such as finance pre-qualification application data, finance application outcomes, dealer account details, subscription information, and account ID mappings. HIBP indicated about 70% of the data had appeared in prior breaches already tracked by the service, implying roughly 3.7 million records may be newly exposed; the public availability of the dataset increases risk of targeted phishing and fraud using the enriched identity and financing-related attributes.
CarGurus had not publicly confirmed the incident at the time of reporting and did not respond to media requests, while HIBP and reporting attributed the breach to ShinyHunters, a group known for social engineering/vishing-style intrusions and subsequent extortion/leak tactics. Separate ShinyHunters-linked incidents reported in the same period included Wynn Resorts confirming theft of employee data following an extortion threat, and Optimizely disclosing a breach tied to a voice-phishing attack that exposed limited business contact information; these are distinct events and do not change the core CarGurus exposure but reinforce the group’s ongoing operational tempo and reliance on social engineering to obtain access and data for leverage.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
CarGurus discloses contained cybersecurity incident
On February 24, 2026, CarGurus publicly acknowledged a contained cybersecurity incident after reports of a leaked customer dataset. The company said there was no indication that dealer data feeds, APIs, or core consumer and dealer-partner systems were compromised, and that operations continued without interruption.
CarGurus remains silent as breach reports emerge
By February 24, 2026, media reports said CarGurus had not issued an official breach statement and did not respond to requests for comment. The public availability of the leaked archive raised concerns about phishing, scams, identity theft, and financial fraud targeting users.
Have I Been Pwned adds the CarGurus breach
On February 22, 2026, Have I Been Pwned added the CarGurus dataset to its breach database after attempting to validate the leak. HIBP said roughly 70% of the records were already known from prior incidents, leaving about 3.7 million newly exposed records.
ShinyHunters publishes 6.1GB CarGurus data archive
On February 21, 2026, ShinyHunters published a freely downloadable 6.1GB archive they claimed contained about 12.4 million to 12.5 million CarGurus records. The leaked data reportedly included names, email addresses, phone numbers, physical addresses, IP addresses, account IDs, and finance pre-qualification and dealer-related information.
ShinyHunters allegedly steals CarGurus customer data
CarGurus suffered a data breach in which customer personal information and finance-related data were allegedly stolen. Reporting attributed the incident to the ShinyHunters extortion group, though CarGurus had not publicly confirmed the breach at the time of coverage.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Have I Been Pwned: CarGurus Data Breach
haveibeenpwned.com
Open sourceShinyHunters cyberattack on CarGurus impacts 12.4 Million users
securityaffairs.com
Open sourceCarGurus data breach exposes information of 12.4 million accounts
bleepingcomputer.com
Open sourceCarGurus data breach affects 12.5 million accounts | TechCrunch
techcrunch.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ShinyHunters-Linked Extortion and Data Leak Claims Targeting Automotive Retailers
Data allegedly sourced from US automotive retailer **CarMax** was published online after a **failed extortion attempt**, according to a Have I Been Pwned breach entry. The exposed dataset reportedly includes **431,000 unique email addresses** along with **names, phone numbers, and physical addresses**, indicating a PII-heavy leak that could enable targeted phishing and identity-focused fraud. Separately, **CarGurus** was reported as being purportedly breached by the **ShinyHunters** hacking operation, with claims of **1.7 million corporate files** stolen and an extortion deadline tied to negotiations. The intrusion was alleged to have occurred via **single sign-on (SSO) codes obtained through voice phishing**, consistent with ShinyHunters’ prior claims of compromising other organizations using SSO-code access; CarGurus has been positioned as another extortion-driven theft where internal records and PII may be at risk of exposure.
Mar 21, 2026
Betterment and CarGurus Data Breach Claims Involving Stolen Customer and Corporate Records
Fintech platform **Betterment** reported a January 2026 social-engineering incident in which an employee was tricked into providing credentials that enabled unauthorized access to internal messaging systems via third-party tools. Betterment said it detected and contained the access the same day, launched an external forensic investigation, and later indicated the incident affected roughly **1.4 million customers**; exposed data included names, email addresses, and location data broadly, with a smaller subset including phone numbers, physical addresses, dates of birth, job titles, and device details. Betterment stated that **no financial accounts, logins, or passwords** were accessed, but warned that the stolen PII was used to send **crypto-scam messages** impersonating Betterment to pressure users into transferring funds. Separately, the extortion group **ShinyHunters** claimed it stole **1.7 million CarGurus corporate records** and threatened to leak the data if the company did not engage by a stated deadline; the criminals alleged the haul included PII and internal corporate data, and CarGurus had not publicly confirmed the claim at the time of reporting. The same reporting tied the CarGurus claim to a broader run of ShinyHunters-related leak-site postings and extortion threats against other organizations, with at least one victim (Canada Goose) indicating that data recently published online may have been **historical** rather than from a new intrusion.
Mar 21, 2026
ShinyHunters Data-Theft and Extortion Targeting CarGurus and Wynn Resorts
**ShinyHunters** is linked to multiple large-scale data-theft and extortion operations, including a breach at automotive marketplace **CarGurus** in February 2026. After an attempted extortion, the stolen CarGurus data was published publicly and reportedly included **12M+ email addresses** across multiple files, with additional exposed information such as names, phone numbers, physical and IP addresses, user account ID mappings, dealer account/subscription details, and auto finance pre-qualification application data (including application outcomes). ShinyHunters also claimed to have stolen **800,000+ records** from **Wynn Resorts** and demanded **22.34 Bitcoin (~$1.5M)** to prevent publication, setting a deadline and threatening further “digital problems” if unpaid. Data samples reviewed by a media outlet reportedly contained employee PII including **Social Security numbers**, names, emails, phone numbers, job details, salaries, start dates, and birthdays; the group alleged initial access occurred in **September 2025** via an **Oracle PeopleSoft vulnerability** combined with an employee’s credentials, and it did not clarify whether the credentials were obtained through social engineering or insider access-for-hire.
Mar 21, 2026