Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

ShinyHunters cyberattack on CarGurus impacts 12.4 Million users

ShinyHunters leaked data from 12.4M CarGurus accounts, exposing personal information from the U.S.-based auto research and shopping platform. The ShinyHunters group published personal data from over 12 million CarGurus accounts. CarGurus is a U.S.-based digital automotive marketplace that helps users research, compare, and connect with sellers of new and used vehicles. Operating in the U.S., […]

ShinyHunters CarGurus

ShinyHunters leaked data from 12.4M CarGurus accounts, exposing personal information from the U.S.-based auto research and shopping platform.

The ShinyHunters group published personal data from over 12 million CarGurus accounts. CarGurus is a U.S.-based digital automotive marketplace that helps users research, compare, and connect with sellers of new and used vehicles. Operating in the U.S., Canada, and the U.K., its platform analyzes listings to identify good deals and provides tools for pricing, dealer reviews, and vehicle history. The site attracts around 40 million monthly visitors and is publicly traded, making it a major player in online car shopping and automotive research.

In February 2026, CarGurus suffered a data breach that exposed personal information, including emails, account IDs, finance applications, dealer info, names, phone numbers, addresses, IPs, and auto finance application results after a failed extortion attempt.

On February 21, the ShinyHunters group leaked a 6.1GB compressed archive containing over 12.4 million records.

The data breach monitoring service HaveIBeenPwned (HIBP) also added CarGurus to its database.

Compromised data includes:

  • Email addresses
  • Names
  • Physical addresses
  • IP addresses
  • Phone numbers

The CarGurus data breach poses multiple risks for customers. With personal information such as names, email addresses, phone numbers, and account IDs exposed, individuals face a heightened risk of phishing and social engineering attacks, as cybercriminals can craft convincing messages using real data. The leak of finance application details and other sensitive records also opens the door to identity theft and financial fraud. Exposed account information increases the likelihood of account takeovers, especially if users reuse passwords across platforms. Additionally, the disclosure of physical addresses and IP data raises privacy concerns, potentially enabling targeted marketing, stalking, or other malicious activity. Overall, these risks highlight the importance of vigilance, strong password hygiene, and monitoring for suspicious activity following the breach.

The ShinyHunters extortion group has recently targeted major companies, leaking data when ransom demands fail. Victims include Odido, Figure, Canada Goose, and SoundCloud. The group primarily uses social engineering, especially voice phishing, to steal credentials and access SaaS platforms like Salesforce, Okta, and Microsoft 365. 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ShinyHunters)