ShinyHunters leak 12.4M CarGurus records after ransom threat

The ShinyHunters extortion gang has released the personal records of 12.4 million CarGurus account holders – following what appears to be a failed ransom demand tied to a February 13th breach of the digital auto dealer.

The hacker group offered the 6.1GB file download on its dark web victim blog on February 21st, after what appears to have been a failed attempt to collect a ransom from the automotive e-commerce company.

“Over 1.74M records containing PII and other internal corporate data have been compromised,” ShinyHunters posted in the CarGurus leak entry, which was initially posted on February 18th, along with a red final warning banner.

“This is a final warning to reach out by 20th Feb 2026 before we leak, along with several annoying (digital) problems that'll come your way. Make the right decision, don't be the next headline,” the gang wrote.

Founded in 2026 and headquartered in Boston, CarGurus is an automotive research and shopping marketplace connecting buyers and sellers across the US, Canada, and the UK.

With over 40 million monthly unique visitors and almost 40,000 participating dealers, according to its website, CarGurus' 2025 annual revenue was listed at $907 million.

Have I Been Pwned confirms 12M emails

After examining the cache, the free consumer leak-detection site Have I Been Pwned on Tuesday revealed that the pilfered data contained more than 12M email addresses across multiple files – ironically, it said 70% of the compromised emails were already previously loaded into the site’s active database.

The compromised emails are said to be associated with user account ID mappings, finance pre-qualification application data, and dealer account and subscription information, according to the Troy Hunt consumer leak detection site.

Even so, Nick Tausek, Lead Security Automation Architect at Swimlane, points out that a stolen dataset this large “is less about the file size and more about how quickly it can be operationalized for fraud and account compromise.”

“Even if some information has appeared in other leaks before, it can still be dangerous when combined with newer leaked details that make social engineering campaigns significantly more convincing,” Tausek explains.

“With real identifiers in hand, attackers can craft credible pretexts and reduce the friction needed to compromise additional accounts,” he added.

In addition to the 12.4 million emails, personally identifiable information (PII) included names, phone numbers, physical and IP addresses, and auto finance application outcomes.

CarGuru customer data exposed in the ShinyHunters data dump includes:

• Email addresses
• IP addresses
• Names
• Phone numbers
• Physical addresses

Telecom giant Odido faces leak threat

At the same time, Dutch telecom Odido and its virtual mobile network Ben NL are the latest victims to appear on the ShinyHunters leak site.

On Tuesday, the ransomware gang gave the telecom until Thursday, February 26th, to return to the negotiation table, or else threaten to leak their data to the cybercriminal community.

The Odido post claims to have “almost 21M records containing Full Names, Physical addresses, email addresses, phone numbers, and plaintext passwords, IBAN, passport numbers, driver license numbers, and other internal corporate data.”

Shiny Hunters has been particularly busy this month, carrying out numerous attacks via its signature social-engineering-fueled vishing tactics.

Targeting employees with a simple phone call, the attacks are believed to be linked to a wider Okta vishing campaign aimed at obtaining single sign-on (SSO) credentials across financial firms.

Okta, an identity and access management (IAM) platform, published details about the ShinyHunters activity on January 22nd, warning that the group was also targeting SSO credentials in Microsoft and Google environments.

One of those vishing victims, Figure Technology Solutions, had 1 million records dumped by the ransomware gang after the gang claimed the San Francisco-based blockchain home-lending fintech refused to pay an undisclosed ransom demand, also confirmed by Have I Been Pwned.

In an apparent jab at Figure, ShinyHunters posted purported copies of several internal messages sent by management, acknowledging attempts to trick employees into handing over sign-on credentials.

“We have received a few reports of employees being contacted on their personal phones and or work phones by people claiming to be IT and needing to set up Okta, a Passkey or some other security software,” management wrote in an internal messaging channel.

“These individuals will attempt to earn your trust by using names of actual employees. This is a phishing attempt and generally comes from contact information being pulled from LinkedIn or similar social networks,” the message continued.

ShinyHunters’ February spree widens

"ShinyHunters has established a repeatable model built for speed, where access is gained through identity-focused tactics and then quickly converted into data theft and pressure,” Tausek warns.

Tuasek also expects the fallout to be cumulative, noting “more stolen data in circulation, more believable scams borrowing details from real records, and more strain on already busy teams trying to separate real customer requests from attacker noise.”

On Monday, ShinyHunters dumped the data of two high-profile investment advisory firms – Mercer Advisors and Beacon Pointe Advisors – that allegedly contained more than 5 million sensitive client records.

And earlier in the week, the gang dropped data belonging to the luxury down coat- maker Canada Goose, However, Cybernews researchers determined the data was several years old.

Further tied to a February breach at Wynn Resorts, ShinyHunters also gave the US luxury casino empire until February 20th to pay up or face the release of 800,000 personal and employee records allegedly stolen in the heist.

Ivy League colleges Harvard and UPenn, the dating conglomerate Match Group, Hinge, OkCupid, and the Bumble dating app, were all posted on the gang’s leak site this month.

Tausek tells Cybernews, “The best defense is to make the first step harder and the response faster.”

He recommends organizations strengthen login protections, tighten account recovery, and support workflows that attackers often exploit, while also continuing to monitor for unusual sign-ins and large-scale data exports.

“The integration of agentic AI into security defenses can add real leverage by turning scattered alerts into coordinated action, which quickly validates risk and reduces the time attackers have to turn access into impact,” he said.

On June 25th, 2025, French authorities announced the arrest of four alleged members of ShinyHunters across multiple regions of France.

Unlock more exclusive Cybernews content on YouTube.