In February 2026, ShinyHunters breached CarGurus (a major US online automotive marketplace) via social engineering. After CarGurus declined to pay ransom, the data was published publicly. The breach exposed records for approximately 12.4 million accounts. Exposed data included email addresses, names, phone numbers, physical and IP addresses, user account IDs, finance pre-qualification application data, and dealer account and subscription information. Dealer data feeds and core platform functionality were not impacted. Have I Been Pwned indexed 12.5 million affected email addresses.