ShinyHunters publishes 12.4 million alleged CarGurus records in latest data leak

The ShinyHunters extortion group has published more than 12 million records allegedly stolen from CarGurus, a publicly traded U.S.-based digital automotive marketplace, exposing a trove of personal and account information in a 6.1 gigabyte archive released Feb. 21.

The dataset, attributed to CarGurus, contains approximately 12.4 million records. CarGurus operates an online automotive research and shopping platform serving the United States, Canada and the United Kingdom, attracting an estimated 40 million monthly visitors who use the site to find, compare and contact sellers of new and used vehicles.

On Feb. 22, the breach monitoring service Have I Been Pwned added the dataset to its platform after validating the material. The exposed information includes email addresses, IP addresses, full names, phone numbers, physical addresses, user account IDs, finance pre-qualification application data, finance application outcomes, dealer account details and subscription information.

Have I Been Pwned determined that roughly 70 percent of the data had previously appeared in earlier breach collections, leaving about 3.7 million newly exposed records. The full archive is publicly accessible, creating potential risks for phishing campaigns and other forms of targeted fraud that rely on personal and financial details.

CarGurus has not issued a public disclosure confirming a breach. The company did not respond to inquiries seeking comment.

The leak marks the latest in a series of high-profile data extortion claims by ShinyHunters. The group has recently asserted responsibility for incidents involving organizations including Odido, Optimizely, Figure, Canada Goose, Panera Bread, Match Group and SoundCloud.

ShinyHunters commonly relies on social engineering tactics, particularly voice phishing, to gain initial access to corporate environments. Victims are directed to credential-harvesting pages designed to capture login information for widely used software-as-a-service platforms such as Salesforce, Okta and Microsoft 365.

Earlier campaigns attributed to the group have also involved persuading employees to install malicious OAuth applications. Those applications granted attackers API-level read access to customer data tables within Salesforce environments, enabling large-scale data extraction.