THE ShinyHunters cyberattack on CarGurus led to the exposure of more than 12.4 million user records after the group leaked a 6.1GB compressed archive on February 21. The compromised data included emails, names, physical addresses, IP addresses and phone numbers, with the breach reported as part of a failed extortion attempt. The CarGurus site operates in the U.S., Canada and the U.K., attracts around 40 million monthly visitors and is described as a major player in online car shopping and automotive research.
According to Have I Been Pwned, CarGurus was added to its database and more than 12 million unique email addresses were exposed in a breach earlier in February 2026. The data leak raises risks for customers, including phishing and fraud, particularly if passwords are reused across platforms, and privacy concerns around the disclosure of addresses and IP data. The ShinyHunters group has targeted major companies, and the CarGurus incident follows such patterns of social engineering to access SaaS platforms.