TL;DR: On February 13, 2026, ShinyHunters breached CarGurus through voice phishing. They stole 12.5 million email addresses, auto loan pre-qualification data, dealer subscription information, and physical addresses. After CarGurus missed the February 20 extortion deadline, ShinyHunters dumped everything. The breach is now in Have I Been Pwned. If you've ever used CarGurus to browse cars, get financing quotes, or run a dealership listing, your data is public.
What They Took
ShinyHunters published a 6.1GB compressed archive containing what they described as "over 12.4 million records containing PII and other internal corporate data" [1]. Here's what's in it:
- 12.5 million email addresses: verified by Have I Been Pwned on February 22 [2]
- Auto finance pre-qualification applications: credit inquiries, loan outcomes
- Dealer account and subscription data: business information for thousands of dealerships
- User account ID mappings: connecting user identities across CarGurus' systems
- Names, phone numbers, physical addresses, IP addresses: the full PII package
That finance application data is particularly nasty. When you fill out those "see if you pre-qualify" forms on car shopping sites, you're handing over sensitive financial information. Now attackers have the results.
Voice Phishing Strikes Again
ShinyHunters used the same playbook that's worked for them all month: vishing [3].
They called CarGurus employees pretending to be IT support. Convinced them to hand over their Okta single sign-on codes. Used those codes to authenticate as legitimate employees. Then walked through the front door.
This isn't sophisticated. There's no zero-day exploit here. Just someone picking up a phone and convincing a human to bypass security controls.
The breach happened on February 13, 2026. By February 18, ShinyHunters was already posting threats on their leak site: "This is a final warning to reach out by 20 Feb 2026 before we leak along with several annoying (digital) problems that'll come your way" [4].
CarGurus didn't pay. On February 20, the dump went live.
What CarGurus Has Said
Almost nothing.
CarGurus acknowledged investigating a "cybersecurity incident" but hasn't issued a formal breach notification or detailed statement [5]. The company didn't respond to press inquiries at the time the breach became public.
No word on whether they're notifying affected users directly, offering credit monitoring, or explaining how they let someone vish their way into systems containing 12 million customer records.
If you used CarGurus, don't wait for them to tell you. Check Have I Been Pwned yourself: haveibeenpwned.com
Part of a Bigger Campaign
CarGurus is victim number... we've lost count. ShinyHunters has been on an absolute tear since January 2026.
The same voice phishing technique has been used against [6]:
- Harvard and UPenn: 2.2 million alumni records
- Betterment: 1.4 million investment accounts
- Figure: 967,000 fintech customers
- Match Group: dating app data
- Panera Bread: customer accounts
- Investment advisory firms: financial data
The pattern is consistent: target employees at companies using Okta, Microsoft, or Google SSO. Call them. Trick them. Steal their session tokens. Exfiltrate everything. Demand ransom. Dump when they don't pay.
It keeps working because companies keep training employees to be helpful on the phone, and don't train them to hang up on anyone asking for authentication codes.
What You Should Do
Check Have I Been Pwned
Visit haveibeenpwned.com and search your email. The CarGurus breach was added February 22.
Change Passwords
If you ever created a CarGurus account, change that password. If you reused it anywhere else (you shouldn't), change it there too.
Watch for Auto Loan Fraud
If you used CarGurus' financing tools, monitor your credit reports. Someone could use your pre-qualification data to apply for loans in your name.
Freeze Your Credit
Free at all three bureaus. Prevents anyone from opening new accounts without physically unfreezing first.
Expect Targeted Phishing
Attackers now know you were car shopping. Expect fake "your loan application was approved" emails, "dealership follow-up" texts, and vehicle-related scams.
Dealers: Audit Your Accounts
If you're a dealership using CarGurus, your business data was in this breach. Review your subscription information and watch for unauthorized account access.
The Real Problem
Every company uses single sign-on now. Okta, Microsoft Entra, Google Workspace: pick your flavor. These systems are supposed to make authentication more secure.
But they've also created a single point of failure. Trick one employee into approving one fake login prompt, and you're in the entire organization.
ShinyHunters figured this out. They're not hacking systems, they're hacking people. And companies keep losing because they haven't figured out how to train employees to say no when IT calls.
CarGurus learned this lesson the hard way. Their 12.5 million users are paying the price.
References
- The Register - ShinyHunters claims it drove off with 1.7M CarGurus records (February 18, 2026)
- Have I Been Pwned - CarGurus Data Breach (February 22, 2026)
- Cyber Insider - CarGurus data breach by ShinyHunters exposed 12.5 million accounts (February 2026)
- TechRadar - Major CarGurus data breach reportedly sees 1.7 million corporate records stolen (February 2026)
- Dealership Guy - CarGurus probes cyberattack, ShinyHunters claims theft of 1.7M records (February 23, 2026)
- SC Media - CarGurus purportedly breached by ShinyHunters (February 2026)
Published: February 24, 2026