• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Sq Magazine LogoSQ Magazine

Smarter Insights for a Fast-Moving Digital World

  • Latest News
  • Statistics
  • About
  • Contact
Subscribe
Sq Magazine Logo
  • Latest News
  • Statistics
  • About
  • Contact
Subscribe
Home » Cybersecurity

CarGurus Users Caught in Massive Data Leak Linked to ShinyHunters

Published on: February 24, 2026
Sofia Ramirez
Written By
Sofia Ramirez
Sofia Ramirez
Senior Tech Writer • 497 Articles
Sofia Ramirez is a technology and cybersecurity writer at SQ Magazine. With a keen eye on emerging threats and innovations, she helps reader...
LATEST POSTS:
WhatsApp Scams in 2026: Common Types and How to Spot Them
Cursor’s Unpatched Zero-Day Lets Repos Run Malicious Code
Notepad++ 8.9.7 Patches Five Security Vulnerabilities
Barry Elad
Reviewed By
Barry Elad
Barry Elad
Founder & Senior Journalist • 757 Articles
Barry Elad is a seasoned journalist and analyst specializing in finance, technology, AI, and founder of SQ Magazine. He explores the world o...
LATEST POSTS:
ChatGPT vs DeepSeek Statistics 2026: Users, Benchmarks & Pricing
OpenAI Reveals GPT Red for Powerful AI Security Testing
OpenAI’s First Hardware Device Is Reportedly a Screenless Speaker
Cargurus Face Data Braech
As Featured In
The New York Times LogoForbes LogoWired LogoDeloitte LogoResearch.com Logo
Share on LinkedIn ChatGPT Perplexity Share on X Share on Facebook

CarGurus users may be facing a major privacy headache after a large dataset tied to the platform appeared online and was linked to the ShinyHunters cybercrime group.

Quick Summary – TLDR:

  • A dataset linked to CarGurus was published online and added to Have I Been Pwned, affecting more than 12 million records.
  • The exposed information reportedly includes emails, names, phone numbers, addresses, and some finance related data.
  • Have I Been Pwned says about 70 percent of the data had appeared in prior breaches, but millions of records may be new.
  • Security researchers warn the leak could fuel phishing, identity scams, and targeted fraud.

What Happened?

The ShinyHunters extortion group has published what it claims is a stolen dataset from CarGurus, a digital automotive marketplace used by shoppers and dealers across the U.S., Canada, and the U.K. The leak, reported as a 6.1GB archive with about 12.4 million records, has now been indexed by Have I Been Pwned, allowing people to check whether their details appear in the breach.

🚨 CarGurus Breach Exposes 12.5M Accounts After ShinyHunters Leak Hits HIBP
CarGurus data attributed to ShinyHunters was published after an extortion attempt failed and later verified by Have I Been Pwned, exposing ~12.5M accounts with 12M+ unique emails plus PII (names, phones,…

— ThreatSynop (@ThreatSynop) February 23, 2026

A huge dataset is now circulating online

CarGurus is best known as a car research and shopping platform that helps users find listings, compare prices, and contact dealers. The site draws heavy traffic, with reports estimating around 40 million monthly visitors, which is part of why this incident is getting so much attention.

According to reporting around the data leak, ShinyHunters posted a compressed archive said to contain roughly 12.4 million entries. The dataset size is described as 6.1GB, and it was published publicly after the group claimed negotiations with the company did not go their way. One report described the release as coming after an extortion attempt that appeared to stall, resulting in the data being posted for anyone to download.

What information was exposed?

Have I Been Pwned, run by security researcher Troy Hunt, added the incident after reviewing the material. The data types listed as exposed are broad and include both consumer and business related details.

Reportedly compromised data includes:

  • Email addresses
  • IP addresses
  • Full names
  • Phone numbers
  • Physical addresses
  • User account IDs
  • Finance pre qualification application data
  • Finance application outcomes
  • Dealer account details
  • Subscription information

That mix is concerning because it is the kind of profile data scammers love. Even if a person never applied for financing, a record that connects an email to a name, phone number, and address can still make phishing more convincing and more personal.

Newsletter
Don’t chase tech news. We track it for you.

One weekly briefing with the launches, AI developments, and breaches that matter. No filler.

Not all of it is new, but that does not make it harmless

Have I Been Pwned also noted that around 70 percent of the leaked information was already present in its database from earlier incidents. That suggests a portion of the dataset may be recycled or previously exposed data being bundled together again. Still, the same reporting indicates that roughly 3.7 million records may be new, which is a big number by any standard.

Even older leaked data can cause problems because it stays useful for criminals. Many people keep the same email address for years, and some reuse passwords. Attackers can also combine old leaks with newer ones to build richer profiles for fraud.

ShinyHunters keeps popping up across industries

ShinyHunters has been tied to a growing list of data breach claims and leaks, often using extortion tactics where stolen data is posted when victims do not negotiate or pay. Recent targets mentioned in reporting include companies such as Odido, Optimizely, Figure, Canada Goose, Panera Bread, Match Group, and SoundCloud.

The group has also been associated with social engineering, especially voice phishing. In several cases, ShinyHunters has been linked to schemes that trick employees into handing over login credentials or single sign on codes, which can open the door to cloud services used by modern businesses.

One report also described tactics where attackers convince staff to install malicious OAuth apps, giving criminals API level access to customer data inside tools like Salesforce. Another described voice phishing used to obtain single sign on codes connected to services from Okta, Microsoft, and Google.

SQ Magazine’s Takeaway

I do not like how normal this is becoming. A car shopping site should not turn into a long term risk to your inbox, your phone, and your identity. Even if some of this data was already floating around, bundling it into one easy download is like handing scammers a ready made playbook. If you have ever used CarGurus, assume you may be targeted with very believable messages, and lock down your accounts now before the next wave of scams hits.

This article has been reviewed and fact-checked by Barry Elad. SQ Magazine follows strict Publishing Principles and a documented Fact-Check Policy to ensure accuracy, transparency, and editorial independence across all content.

Add SQ Magazine as a Preferred Source on Google for updates! Follow on Google News
Share ChatGPT Perplexity
Sofia Ramirez

Sofia Ramirez

Senior Tech Writer


Sofia Ramirez is a technology and cybersecurity writer at SQ Magazine. With a keen eye on emerging threats and innovations, she helps readers stay informed and secure in today’s fast-changing tech landscape. Passionate about making cybersecurity accessible, Sofia blends research-driven analysis with straightforward explanations; so whether you’re a tech professional or a curious reader, her work ensures you’re always one step ahead in the digital world.

Related Posts

Kodak Hit By Data Breach
Cybersecurity

Kodak Hit by Data Breach, ShinyHunters Claims 2.2M Records

6 Million Odido Records Published By Shinyhunters
Cybersecurity

6 Million Odido Records Published by ShinyHunters

Instructure Confirms Canvas Data Breach
Cybersecurity

Instructure Confirms Canvas Breach as ShinyHunters Lists Stolen Data

Disclaimer: The content published on SQ Magazine is for informational and educational purposes only. Please verify details independently before making any important decisions based on our content.

Reader Interactions

Leave a Comment Cancel reply

Primary Sidebar

Connect With Us

facebook x linkedin google-news telegram pinterest whatsapp email
google-preferred-source-badge Add as a preferred source on Google

You Should Also Read

ShinyHunters Cyberattack Exposes Allianz Life Customer Data
29.8 Million SoundCloud Users Affected in Data Leak Tied to ShinyHunters
ShinyHunters Claim NVIDIA GeForce NOW User Database Theft

Table of Contents

  • Quick Summary – TLDR:
  • What Happened?
  • A huge dataset is now circulating online
  • What information was exposed?
  • Not all of it is new, but that does not make it harmless
  • ShinyHunters keeps popping up across industries
  • SQ Magazine’s Takeaway
Connect on Telegram

Footer

SQ Magazine Logo

Smarter Insights for a Fast-Moving Digital World

Connect With Us

Follow Us on Google News

Editorial & Trust

  • About
  • Publishing Principles
  • Fact-Check Policy
  • Corrections Policy
  • Ethics Policy
  • Disclaimer

Worth Checking

  • Social Media Attention Span Stats
  • Gen Z Social Media Statistics
  • TikTok vs. Instagram Statistics
  • LLM Hallucination Statistics
  • Spotify User Statistics
  • Apple Customer Loyalty Statistics
Contact Us
13570 Grove Dr #189,
Maple Grove, MN 55311,
United States
10 a.m. to 6 p.m. | Every day

Copyright © 2022–2026 SQ Magazine. All Rights Reserved. Powered by the Neural Stack.

  • Privacy Policy
  • Terms
  • Accessibility Statement
Company
  • About Us
  • Our Team
  • Our Mission
  • Core Values
Discover
  • Brand Assets
    Brand Assets
  • Stats Methodology
    Stats Research Process
  • Glossary
    Glossary
Categories
  • Internet
  • Technology
  • Artificial Intelligence
  • Gaming
  • Cybersecurity
Internet
Netflix vs Disney+ vs Amazon Prime Statistics
Netflix vs Disney+ vs Amazon Prime Statistics 2026: Viewer Insights
Social Media Demographics By Platform
Social Media Demographics by Platform Statistics 2026: A Definitive Guide
Amazon Music Statistics
Amazon Music Statistics 2026: Subscribers, Share and Revenue
How Many People Use YouTube
How Many People Use YouTube 2026: Users by Country
How Many People Work At Amazon
How Many People Work At Amazon 2026: Headcount, Layoffs, Productivity
Hulu Statistics
Hulu Statistics 2026: Subscribers, Revenue and Market Share
Technology
Google Cloud Platform Statistics
Google Cloud Platform Statistics 2026: Market Growth
Asana Statistics
Asana Statistics 2026: Revenue, Customers, AI ARR and Market Share
AWS Statistics
AWS Statistics 2026: Revenue, Market Share and AI Growth
Adobe Creative Cloud Statistics
Adobe Creative Cloud Statistics 2026: Subscribers, Revenue and Market Share
Adobe Statistics
Adobe Statistics 2026: Revenue, ARR, and Workforce Data
Employee Productivity Statistics
Employee Productivity Statistics 2026: Engagement, Costs & Trends
Artificial Intelligence
ChatGPT vs DeepSeek Statistics
ChatGPT vs DeepSeek Statistics 2026: Users, Benchmarks & Pricing
ChatGPT vs Claude vs Gemini vs Perplexity Statistics
ChatGPT vs Claude vs Gemini vs Perplexity Statistics 2026: Users, Revenue & Market Share
How Many People Work At Midjourney
How Many People Work At Midjourney 2026: Lean Team, Big Revenue
Grammarly AI Statistics
Grammarly AI Statistics 2026: Users, Revenue, Funding, Rebrand
Copilot Statistics
Copilot Statistics 2026: Users, Adoption, Revenue and Market Share
AI Image Generation Statistics
AI Image Generation Statistics 2026: Market Size, Adoption & Risks
Gaming
Online Gambling Regulations Statistics
Online Gambling Regulations Statistics 2026: Global Compliance and Enforcement Data
Fantasy Sports Statistics
Fantasy Sports Statistics 2026: Users, Revenue & Trends
Apex Legends Statistics
Apex Legends Statistics 2026: Players, Revenue, and Esports
Fortnite Statistics
Fortnite Statistics 2026: Players, Revenue, Esports, and Engagement
Gamers Statistics
Gamers Statistics 2026: Players, Habits & Global Data
Minecraft Statistics
Minecraft Statistics 2026: 300 Million Copies Sold & 212M Monthly Players
Cybersecurity
Password Statistics
Password Statistics 2026: Credential Theft, MFA, and the Passkey Tipping Point
Identity Theft Statistics
Identity Theft Statistics 2026: Key Fraud Data and Trends
CVE Statistics
CVE Statistics 2026: Severity Distribution and Top Affected Vendors
Dark Web AI Tool Marketplace Statistics
Dark Web AI Tool Marketplace Statistics 2026: Explosive Market Growth
API Security Breach Statistics
API Security Breach Statistics 2026: Hidden Threats
AI Voice Cloning Fraud Statistics
AI Voice Cloning Fraud Statistics 2026: Alarming Trends You Must Know Now
Categories
  • Cybersecurity
  • Artificial Intelligence
  • Internet
  • Technology
  • Gaming
Cybersecurity
Cursor S Unpatched Zero Day Lets Repos Run Malicious Code
Cursor’s Unpatched Zero-Day Lets Repos Run Malicious Code
Notepad 8 9 7 Patches Five Security Vulnerabilities
Notepad++ 8.9.7 Patches Five Security Vulnerabilities
Telegram S T Me Domain Suspended Amid Ofac Sanctions Link
Telegram’s t.me Domain Suspended Amid OFAC Sanctions Link
Shinyhunters Abuses Salesforce Oauth To Bypass Mfa
ShinyHunters Abuses Salesforce OAuth to Bypass MFA
Lidl Confirmed Data Breach Of Online Store
Lidl Confirms Data Breach at Third-Party IT Provider
Ghostcommit Attack Hides Prompt Injection Inside Images
GhostCommit Attack Hides Prompt Injection Inside Images
Artificial Intelligence
Xai Open Sources Grok Build Coding Agent
Grok Build AI Coding Agent is Now Open Source
Openai Reveals Gpt Red For Powerful Ai Security Testing
OpenAI Reveals GPT Red for Powerful AI Security Testing
Openai S First Hardware Device Is Reportedly A Screenless Speaker
OpenAI’s First Hardware Device Is Reportedly a Screenless Speaker
Claude For Teachers Launched
Anthropic Gives Verified K-12 Teachers Free Claude Access
Kalshi S World Cup Odds In Chatgpt
OpenAI Shows Kalshi’s World Cup Odds in ChatGPT
Anthropic Extends Claude Fable 5 Access Again
Anthropic Extends Claude Fable 5 Access Again
Internet
Aws Cloudfront Outage Triggers Global 5xx Errors
AWS CloudFront Outage Triggers Global 5xx Errors
Whatsapp Launches Username Reservation Feature
WhatsApp Opens Username Reservations for Its 3 Billion Users
Chrome 149 Update Fixes Serious Vulnerabilities
Google Chrome 149 Fixes 18 Serious Security Flaws
Meta Hands Whatsapp Reins To Cred Founder Kunal Shah
Meta Hands WhatsApp Reins to CRED Founder Kunal Shah
Major X Outage Disrupts Users Worldwide
Major X Outage Disrupts Users Worldwide, Service Restored
Meta Adds 13 Plus Age Verification For Teen Safety
Meta Adds 13+ Content Settings and AI Age Checks for Teens
Technology
Apple S Foldable Iphone Ultra Battery Capacity Allegedly Leaks
Apple’s Foldable iPhone Ultra Battery Capacity Allegedly Leaks
Microsoft Lays Off 4800 Employees
Microsoft Cuts 4,800 Jobs, Resets Xbox Strategy
Chrome Update Fixes 382 Vulnerabilities
Chrome 150 Patches 382 Security Fixes, 15 Critical
Apple Leak Reveals Six New Iphones For 2027
Massive Apple Leak Reveals Six New iPhones for 2027
Google Finance Comes Out Of Beta With Android App
Google Finance Gets Major AI Upgrade and New Android App
Windows Recycle Bin Bug Confirmed After June Security Update
Windows Recycle Bin Bug Confirmed After June Security Update
Gaming
Gta Vi Official Cover Art
GTA 6 Pre-Orders Start June 25, New Cover Art Unveiled
Epic Games Teases Unreal Engine 6 For Rocket League
Epic Games Teases Unreal Engine 6 for Rocket League
Stardew Valley Launched For Nintendo Switch 2 Edition
Stardew Valley Switch 2 Edition Arrives with Online Co-op
Hogwarts Legacy Game Crosses 40m Downloads
Hogwarts Legacy Crosses 40M Sales, Beating Industry Giants
Pubg Black Budget Closed Alpha Launched
PUBG: Black Budget Launches Closed Alpha Test With a Bold PvPvE Twist
Counter Strike 2 Skin Market Crashes After Valve Update
Counter-Strike 2’s $5.9 Billion Skin Economy Just Got Shattered
Newsletter

Too much tech noise?

We respect your time. One high-signal briefing a week — tech, AI, and security. Nothing else.

Newsletter

The SQ Briefing

We track tech, AI, and security 24/7. You get a 5-minute weekly summary.