12.5m impacted in major automotive marketplace breach

“Following an attempted extortion, the data was published publicly and contained more than 12 [million] email addresses across multiple files, including user account ID mappings, finance pre-qualification application data and dealer account and subscription information,” the site said.

“Impacted data also included names, phone numbers, physical and IP addresses, and auto finance application outcomes.”

According to the report, infamous hacking group ShinyHunters is behind the incident, citing a mid-February report that found the group claimed a breach of CarGurus, which saw 1.7 million corporate records stolen.

“This is a final warning to reach out by 20 Feb 2026 before we leak along with several annoying (digital) problems that’ll come your way,” ShinyHunters said in its announcement at the time.

The initial breach, which occurred on 13 February, saw ShinyHunters use voice phishing to obtain single-sign-on codes from Okta, Microsoft and Google service users, all as part of a code-stealing campaign.

The CarGurus breach marks 15 breaches just this year as of 18 February, claimed by Shiny Hunters and the alleged crime supergroup Scattered Lapsus$ Hunters, according to The Register. Other victims include Beacon Pointe Advisors and Mercer Advisors, for which the threat actors threatened to leak data.

VIEW ALL

Speaking with TechCrunch, a spokesperson for CarGurus said the cyber incident had been contained.

“There are no indications that dealer data feeds, APIs, or core systems or products used by our consumers or dealer partners have been compromised. We remain fully operational, and our services continue without interruption. We will notify any affected individuals in accordance with applicable laws,” said spokesperson Maggie Meluzio.

CarGurus did not deny the figure supplied by Have I Been Pwned. It is unclear if the 12.5 million impacted are related to the breach cited by The Register.