Last updated 1 month ago
CarGurus, a U.S.-based digital automotive marketplace, experienced a data breach involving 12.4 million user accounts. The ShinyHunters extortion group publicly disclosed the breach in February 2026 by publishing stolen records. The incident exposed personal information from the platform's user database.
The breach involved unauthorized access to CarGurus' systems, though the specific initial access vector remains unconfirmed. The ShinyHunters group exfiltrated and subsequently published over 12 million records containing personal user information. No technical details regarding exploitation techniques or affected infrastructure were provided in the disclosure.
CarGurus has not yet issued an official breach notification or confirmed containment measures. The ShinyHunters group's publication of the data represents the primary confirmed post-incident development, with no information available regarding regulatory investigations, litigation, or ransom demands.
Record count significantly revised from 12.4 million to 1.7 million corporate records, representing an 86% decrease in reported affected records.
The CarGurus breach demonstrates that digital marketplaces handling millions of user records remain high-value targets for extortion-focused threat actors like ShinyHunters. The incident highlights the need for robust access controls and monitoring to detect unauthorized data exfiltration at scale, particularly when threat actors move directly to public data publication rather than ransom negotiations.
Sign in to join the discussion.
Company
Industry
Location
Disclosed
Records Affected
Attack Vector
Threat Actor
Continent
Country
Industry
Attack Vector
Threat Actor