ShinyHunters Claims CarGurus and Carnival Customer Data Breaches
Car-shopping platform CarGurus disclosed a data breach affecting 12.4 million accounts, after the ShinyHunters extortion group claimed it had stolen customer records and offered a dataset for sale. Reporting indicated the exposed information included account and profile data tied to millions of users, while earlier claims from the group had put the haul at roughly 1.7 million records, highlighting uncertainty around the exact scope as public reporting evolved.
A separate incident hit Carnival Corporation, where a dataset flagged by Have I Been Pwned contained 8.7 million records and 7.5 million unique email addresses allegedly linked to Holland America Line’s Mariner Society loyalty program. The data reportedly included names, dates of birth, gender, and membership-status details, raising fraud and phishing concerns. Carnival said it was investigating what it described as a phishing attack involving a single user account, but ShinyHunters claimed responsibility and alleged it also stole terabytes of internal corporate data, suggesting the compromise may extend beyond a limited account breach.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
ShinyHunters claims Carnival data theft and internal corporate exfiltration
ShinyHunters claimed responsibility for the Carnival incident, alleging it stole customer data as well as terabytes of internal corporate data after negotiations with the company failed.
Carnival acknowledges security incident and says phishing hit one account
Carnival Corporation confirmed it was investigating a security incident and said it involved a phishing attack affecting a single user account, while assessing the extent of unauthorized access.
HIBP flags alleged Holland America loyalty dataset tied to Carnival
Have I Been Pwned identified a dataset containing 8.7 million records and 7.5 million unique email addresses allegedly linked to Holland America Line's Mariner Society loyalty program, bringing the incident to public attention.
CarGurus breach reported as affecting 12.4 million accounts
A later report said the CarGurus data breach exposed information from 12.4 million accounts, indicating a substantially larger scope than the initial claim.
ShinyHunters claims theft of 1.7 million CarGurus records
The ShinyHunters extortion group claimed it had stolen 1.7 million records from CarGurus, marking the first reported disclosure in these references of a CarGurus-related breach claim.
Sources
4 references tracked. Mallory keeps watching after this page renders.
ShinyHunters claim they have cruise giant Carnival’s booty
theregister.com
Open sourceCarGurus data breach exposes information of 12.4 million accounts
linkedin.com
Open sourceMajor CarGurus data breach reportedly sees 1.7 million corporate records stolen | TechRadar
techradar.com
Open sourceShinyHunters claims it drove off with 1.7M CarGurus records
theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ShinyHunters Claims Carnival and Udemy Breaches in Extortion Campaign
ShinyHunters claimed responsibility for a major breach affecting Carnival Corporation, with data tied to Holland America Line’s **Mariner Society** loyalty program appearing online after an alleged extortion attempt failed. According to Have I Been Pwned, the leaked dataset contained **8.7 million records** and **7.5 million unique email addresses**, including names, dates of birth, genders, and loyalty program status details. Carnival acknowledged a security incident and said it had identified a phishing attack involving a single user account, while continuing to assess the scope of unauthorized access; the gang separately alleged it also stole terabytes of internal corporate data, a claim that had not been independently verified. The same group also posted a **"Pay or Leak"** notice claiming it had compromised Udemy and stolen more than **1.4 million user records** along with internal corporate data, giving the company a deadline before any public release. Udemy had not confirmed the incident at the time of reporting, leaving the claim unverified, but the allegation fits a broader ShinyHunters campaign targeting SaaS and education organizations through social engineering, credential theft, MFA bypass, and abuse of third-party access. The incidents underscore the group’s continued use of extortion-backed data theft to pressure victims and expose customer information.
May 6, 2026
CarGurus Customer Data Leak Attributed to ShinyHunters
**CarGurus** customer data was published online in a leak attributed to the **ShinyHunters** extortion group, exposing roughly **12.4–12.5 million** accounts. A **6.1GB** archive was posted and subsequently ingested by *Have I Been Pwned* (HIBP) after validation checks; HIBP reported the dataset includes **email addresses, IP addresses, full names, phone numbers, physical addresses, user account IDs**, and additional sensitive business/transactional fields such as **finance pre-qualification application data, finance application outcomes, dealer account details, subscription information**, and account ID mappings. HIBP indicated about **70%** of the data had appeared in prior breaches already tracked by the service, implying roughly **3.7 million** records may be newly exposed; the public availability of the dataset increases risk of **targeted phishing and fraud** using the enriched identity and financing-related attributes. CarGurus had not publicly confirmed the incident at the time of reporting and did not respond to media requests, while HIBP and reporting attributed the breach to ShinyHunters, a group known for **social engineering/vishing-style** intrusions and subsequent extortion/leak tactics. Separate ShinyHunters-linked incidents reported in the same period included **Wynn Resorts** confirming theft of employee data following an extortion threat, and **Optimizely** disclosing a breach tied to a **voice-phishing** attack that exposed limited business contact information; these are distinct events and do not change the core CarGurus exposure but reinforce the group’s ongoing operational tempo and reliance on social engineering to obtain access and data for leverage.
Mar 27, 2026
ShinyHunters-Linked Extortion and Data Leak Claims Targeting Automotive Retailers
Data allegedly sourced from US automotive retailer **CarMax** was published online after a **failed extortion attempt**, according to a Have I Been Pwned breach entry. The exposed dataset reportedly includes **431,000 unique email addresses** along with **names, phone numbers, and physical addresses**, indicating a PII-heavy leak that could enable targeted phishing and identity-focused fraud. Separately, **CarGurus** was reported as being purportedly breached by the **ShinyHunters** hacking operation, with claims of **1.7 million corporate files** stolen and an extortion deadline tied to negotiations. The intrusion was alleged to have occurred via **single sign-on (SSO) codes obtained through voice phishing**, consistent with ShinyHunters’ prior claims of compromising other organizations using SSO-code access; CarGurus has been positioned as another extortion-driven theft where internal records and PII may be at risk of exposure.
Mar 21, 2026