ShinyHunters Leak 12.4 Million CarGurus Records in Massive Data Dump

ShinyHunters Leak 12.4 Million CarGurus Records in Massive Data Dump

ShinyHunters Leak 12.4 Million CarGurus Records in Massive Data Dump

Image: MargJohnsonVA/Envato

ShinyHunters allegedly leaked 12.4 million CarGurus records, exposing personal and financing data and raising risks of phishing and data extortion attacks.

Written By
Ken Underhill
Ken Underhill
Feb 25, 2026
We may earn from vendors via affiliate links or sponsorships. This might affect product placement on our site, but not the content of our reviews. See our Terms of Use for details.

Millions of CarGurus users may have had their personal and financial data exposed after a notorious threat actor group published a massive dataset allegedly stolen from the automotive marketplace.

Attributed to the ShinyHunters extortion group, the leak includes 12.4 million records, of which about 70% are new data.

“The ShinyHunters extortion group has published personal information from more than 12 million records allegedly stolen from CarGurus,” according to BleepingComputer.

What we know about the CarGurus data leak

CarGurus is a publicly traded digital auto marketplace operating in the US, Canada, and the UK, attracting an estimated 40 million monthly visitors. The platform enables users to search for vehicles, compare prices, and apply for financing

The dataset was first reported by BleepingComputer, which detailed the 6.1GB archive published by ShinyHunters. While technical details about the initial intrusion vector have not been disclosed, ShinyHunters is known for exploiting weak access controls, compromised credentials, and third-party service exposures.

In many of the group’s past campaigns, data is exfiltrated first, then used as leverage in extortion negotiations. If talks fail, the group publishes the data publicly. In this case, the exposed fields — including physical addresses, phone numbers, and financing data — can enable highly targeted social engineering attacks.

Threat actors can craft convincing phishing emails or SMS messages impersonating dealerships, lenders, or CarGurus support. Knowledge of a user’s financing pre-qualification status, for example, could be used to lure victims into completing an application or submitting additional financial documentation on a phishing page.

Must-read security coverage

Strengthening security against extortion attacks

As data extortion incidents become more common, organizations should adopt a layered, proactive strategy to reduce the potential impact of breaches.

Platforms that handle sensitive personal and financial information need clear governance policies, strong visibility into their environments, and well-defined response processes.

  • Enforce least-privilege access controls, require MFA for all privileged accounts, and continuously monitor for anomalous database queries or bulk data exports.
  • Deploy data loss prevention (DLP), egress filtering, and behavioral analytics tools to detect and block unauthorized data exfiltration attempts in real time.
  • Encrypt sensitive financial data at rest and in transit, implement tokenization where possible, and segment critical systems to reduce lateral movement and limit the impact of breaches.
  • Conduct comprehensive data inventory, classification, and minimization efforts, and enforce strict retention policies to reduce the volume of stored sensitive information.
  • Strengthen third-party risk management by assessing vendor security controls, enforcing compliance requirements, and applying zero-trust principles to partner access.
  • Regularly test and update incident response plans through tabletop exercises and red-team simulations to ensure readiness for data extortion and public leak scenarios.

The CarGurus incident fits into a broader pattern of data extortion campaigns. ShinyHunters has recently claimed responsibility for attacks targeting organizations such as Dutch telecommunications provider Odido and ad tech firm Optimizely.

Rather than relying solely on ransomware encryption, many modern threat groups prioritize data theft and public shaming tactics to increase leverage.

Editor’s note: This article originally appeared on our sister website, eSecurityPlanet.

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and technology leader with more than 25 years of experience in IT, cybersecurity, and risk management. His career spans network administration, incident response, penetration testing, and entrepreneurship, giving him firsthand experience helping organizations reduce risk and ensure compliance. Ken is also a former nurse and combat medic and he uses this background to break down complex cybersecurity topics into digestible content for a broad, global audience. A multi-exit cybersecurity founder, Ken has spent decades helping organizations strengthen their security posture, manage risk, and navigate complex technology challenges. His expertise includes overall cybersecurity strategy, cloud security, incident response, risk management, security awareness, and emerging threats affecting businesses. Ken is also an advisor to multiple startups on AI security and risk. In addition to his hands-on industry experience, Ken is a cybersecurity newsletter writer for TechnologyAdvice, where he covers cybersecurity news/trends and actionable best practices for business and IT professionals. Ken is also an educator with over 2 million people going through his courses over the years. He has won the Global Cybersecurity 40 under 40 (2x winner), the Cyber Champion award from Women's Society of Cyberjutsu, and the 2019 SC Media award for Outstanding Educator. Ken is also a volunteer with organizations like Minorities in Cybersecurity, Black Girls Hack, and the Whole Cyber Human Initiative, which helps veterans transition into security careers. Ken holds a Master of Science in Cybersecurity and Information Assurance from Western Governors University and a Bachelor of Science in Information Systems, with a major in Cybersecurity Management, from Strayer University. His certifications include the Certificate of Cloud Security Knowledge (CCSK), Certified Ethical Hacker (CEH), and Computer Hacking Forensic Investigator (CHFI) and he is a former adjunct professor of Digital Forensics. Ken also had a streaming cybersecurity television show from 2020-2022 that reached over 200K monthly viewers around the world. His work and expertise have been featured in Forbes, Reader's Digest, Medium, TechRepublic, Fox, NBC, CBS, Dark Reading, MSN Money, and other leading publications and media outlets, making him a trusted voice on cybersecurity, election security, and privacy.