CarGurus Data Breach Exposes 12.5 Million User Records in Alleged ShinyHunters Compromise

Summarize with:

ChatGPT Claude.ai Google AI Grok Perplexity

Add as preferred source on Google

Automotive marketplace CarGurus suffered a data breach in February 2026, which resulted in the exfiltration of a massive dataset containing personally identifiable information (PII). On February 22, 12.5 million email addresses were added to the Have I Been Pwned (HIBP) breach notification service.

Automotive Marketplace Breach Details: ShinyHunters Cyberattack

Following an unsuccessful ShinyHunters extortion attempt against the company, the threat actors publicly released the compromised data, according to HIBP. The alleged compromised data dump is extensive, impacting multiple facets of the platform's user base. 

The breach reportedly includes several distinct files containing user account ID mappings, dealer account details, subscription information, and sensitive data from finance pre-qualification applications. 

The exposed PII includes:

• full names, 
• email addresses, 
• phone numbers,
• physical addresses, 
• IP addresses. 

ShinyHunters claimed in their post that "other internal corporate data" was also stolen, amounting to more than 17 million records.

Data Security Implications in the Automotive Industry

Online marketplaces like CarGurus aggregate vast quantities of valuable consumer and commercial data, making them high-value targets for threat actors. Reports say ShinyHunters suggested the breach occurred on February 13, as part of the group’s custom PhaaS kit vishing campaign targeting Okta SSOs. 

Organizations in this sector need to implement robust security controls, including multi-factor authentication (MFA) and stringent access management, to protect against such damaging cyberattacks.

TechNadu reported earlier this month that automotive giant Volvo exposed employee information via a Conduent data breach, and INC Ransom claimed an attack on automotive supplier Yazaki Group in December.

Related

Cornwall Council Data Breach Exposes Unredacted Complainant PIIs

Cyber Job Moves: Security Leadership Expands Across Enterprise and Cyber Vendors

Critical Infrastructure Under Pressure as AI Threats Grow and Global Enforcement Responds

PromptSpy: First Documented Android Malware to Leverage Generative AI, Likely Impersonated a JPMorgan Chase Bank

French Government Discloses Major National Bank Account Registry Breach

ATM Jackpotting Attacks Using the Ploutus Malware Surge Across the US, FBI Warns

Your Weekly Cybersecurity Briefing

Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.

Subscribe for Free

Please enter a valid email address.

Most Popular

Cornwall Council Data Breach Exposes Unredacted Complainant PIIs

Threat Actors Leveraged Several Commercial AI Tools to Breach 600 FortiGate Firewalls

Wisconsin Lawmakers Remove Controversial VPN Blocking Provision From Senate Bill 130 After Public Backlash

Cyber Job Moves: Security Leadership Expands Across Enterprise and Cyber Vendors

Windscribe Introduces Custom App Icons to Help Users Stay Discreet

Critical Infrastructure Under Pressure as AI Threats Grow and Global Enforcement Responds

Cornwall Council Data Breach Exposes Unredacted Complainant PIIs

Threat Actors Leveraged Several Commercial AI Tools to Breach 600 FortiGate Firewalls

Wisconsin Lawmakers Remove Controversial VPN Blocking Provision From Senate Bill 130 After Public Backlash

Cyber Job Moves: Security Leadership Expands Across Enterprise and Cyber Vendors

Windscribe Introduces Custom App Icons to Help Users Stay Discreet

Critical Infrastructure Under Pressure as AI Threats Grow and Global Enforcement Responds