ShinyHunters Leaks 12.4M CarGurus Records After Failed Extortion

Home » News
Yash Shield
News
Reading time icon 2 min. read

Calendar icon Published on

ShinyHunters dumped 6.1GB CarGurus data exposing 12.4M accounts on February 21, 2026. HIBP verified 3.7M fresh records including emails, names, phones, addresses, finance apps. No official CarGurus confirmation despite BleepingComputer inquiries.

U.S. automotive platform serves 40M monthly visitors across U.S., Canada, U.K. Dealer accounts, subscriptions, finance pre-qual data compromised alongside PII. 70% records previously leaked but fresh subset heightens phishing risks.

ShinyHunters vishing campaigns targeted Salesforce helpdesks for initial access. OAuth apps granted API reads of customer tables previously. February spree includes Odido, Optimizely, Figure, Canada Goose, Panera, Match Group, SoundCloud.

Credential harvesting pages tricked employees into SaaS platform logins. No ransomware demands met leading to public dumps. Phishing, fraud potential massive from combined datasets.

CarGurus annual revenue $907M underscores breach scale. Social engineering remains group’s signature bypassing technical defenses. 70% repeat data amplifies credential stuffing campaigns.

ShinyHunters lists CarGurus as their victim Source: BleepingComputer

Exposed Data Table

Data TypeFresh Records
Email addresses12.4M total
Full namesConfirmed
Phone numbersConfirmed
Physical addressesConfirmed
IP addressesConfirmed
Finance pre-qual appsConfirmed
Dealer accountsConfirmed
SubscriptionsConfirmed

ShinyHunters February Victims

  • Odido: 21M telecom records
  • Optimizely: Ad tech platform
  • Figure: 1M fintech accounts
  • Canada Goose: 600K customers
  • Panera Bread: 51M accounts
  • Match Group: Dating apps
  • SoundCloud: 298M accounts

Users monitor for phishing referencing CarGurus data. Change passwords across services proactively. Dark web monitoring essential post-leak.

User Protection Steps

  • Enable 2FA everywhere immediately
  • Monitor bank/credit statements
  • Ignore unsolicited CarGurus communications
  • Scan for malware proactively
  • Use unique passwords per service
  • Check HIBP notifications regularly

Extortion groups accelerate dump frequency post-negotiation failures. Combined datasets fuel mass fraud operations. Platform silence delays coordinated response.

FAQ

ShinyHunters CarGurus leak size?

6.1GB archive with 12.4M records.

Fresh compromised accounts per HIBP?

3.7M newly exposed records.

Primary access method used?

Vishing against Salesforce helpdesks.

CarGurus monthly visitors?

40 million across three countries.

Official CarGurus response status?

No confirmation issued to date.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages