CarGurus users may be facing a major privacy headache after a large dataset tied to the platform appeared online and was linked to the ShinyHunters cybercrime group.
Quick Summary – TLDR:
- A dataset linked to CarGurus was published online and added to Have I Been Pwned, affecting more than 12 million records.
- The exposed information reportedly includes emails, names, phone numbers, addresses, and some finance related data.
- Have I Been Pwned says about 70 percent of the data had appeared in prior breaches, but millions of records may be new.
- Security researchers warn the leak could fuel phishing, identity scams, and targeted fraud.
What Happened?
The ShinyHunters extortion group has published what it claims is a stolen dataset from CarGurus, a digital automotive marketplace used by shoppers and dealers across the U.S., Canada, and the U.K. The leak, reported as a 6.1GB archive with about 12.4 million records, has now been indexed by Have I Been Pwned, allowing people to check whether their details appear in the breach.
🚨 CarGurus Breach Exposes 12.5M Accounts After ShinyHunters Leak Hits HIBP
— ThreatSynop (@ThreatSynop) February 23, 2026
CarGurus data attributed to ShinyHunters was published after an extortion attempt failed and later verified by Have I Been Pwned, exposing ~12.5M accounts with 12M+ unique emails plus PII (names, phones,…
A huge dataset is now circulating online
CarGurus is best known as a car research and shopping platform that helps users find listings, compare prices, and contact dealers. The site draws heavy traffic, with reports estimating around 40 million monthly visitors, which is part of why this incident is getting so much attention.
According to reporting around the data leak, ShinyHunters posted a compressed archive said to contain roughly 12.4 million entries. The dataset size is described as 6.1GB, and it was published publicly after the group claimed negotiations with the company did not go their way. One report described the release as coming after an extortion attempt that appeared to stall, resulting in the data being posted for anyone to download.
What information was exposed?
Have I Been Pwned, run by security researcher Troy Hunt, added the incident after reviewing the material. The data types listed as exposed are broad and include both consumer and business related details.
Reportedly compromised data includes:
- Email addresses
- IP addresses
- Full names
- Phone numbers
- Physical addresses
- User account IDs
- Finance pre qualification application data
- Finance application outcomes
- Dealer account details
- Subscription information
That mix is concerning because it is the kind of profile data scammers love. Even if a person never applied for financing, a record that connects an email to a name, phone number, and address can still make phishing more convincing and more personal.
Not all of it is new, but that does not make it harmless
Have I Been Pwned also noted that around 70 percent of the leaked information was already present in its database from earlier incidents. That suggests a portion of the dataset may be recycled or previously exposed data being bundled together again. Still, the same reporting indicates that roughly 3.7 million records may be new, which is a big number by any standard.
Even older leaked data can cause problems because it stays useful for criminals. Many people keep the same email address for years, and some reuse passwords. Attackers can also combine old leaks with newer ones to build richer profiles for fraud.
ShinyHunters keeps popping up across industries
ShinyHunters has been tied to a growing list of data breach claims and leaks, often using extortion tactics where stolen data is posted when victims do not negotiate or pay. Recent targets mentioned in reporting include companies such as Odido, Optimizely, Figure, Canada Goose, Panera Bread, Match Group, and SoundCloud.
The group has also been associated with social engineering, especially voice phishing. In several cases, ShinyHunters has been linked to schemes that trick employees into handing over login credentials or single sign on codes, which can open the door to cloud services used by modern businesses.
One report also described tactics where attackers convince staff to install malicious OAuth apps, giving criminals API level access to customer data inside tools like Salesforce. Another described voice phishing used to obtain single sign on codes connected to services from Okta, Microsoft, and Google.
SQ Magazine Takeaway
I do not like how normal this is becoming. A car shopping site should not turn into a long term risk to your inbox, your phone, and your identity. Even if some of this data was already floating around, bundling it into one easy download is like handing scammers a ready made playbook. If you have ever used CarGurus, assume you may be targeted with very believable messages, and lock down your accounts now before the next wave of scams hits.
