ShinyHunters Voice Phished Their Way Into 12.5 Million CarGurus Accounts

12.5 Million Records in a Single Phone Call

On February 13, 2026, the threat actor group ShinyHunters breached CarGurus, one of the largest online automotive marketplaces in the United States. The group initially claimed to have stolen 1.7 million corporate records, but within days they published a 6.1GB archive on their dark web leak site containing data tied to approximately 12.5 million customer accounts.

According to security researchers and breach notification service Have I Been Pwned, the stolen data includes email addresses, full names, phone numbers, physical addresses, IP addresses, and auto finance pre qualification application data. Dealer account information and subscription details were also included in the dump.

Voice Phishing: The Attack Method of Choice

ShinyHunters did not exploit a software vulnerability to get in. They called employees. The group used voice phishing, also known as vishing, as part of a broader code stealing campaign that targeted multiple companies during the same period. The attackers impersonated IT staff and directed employees to credential harvesting sites that looked identical to their company's single sign on portal.

This is the same playbook ShinyHunters used to breach Panera Bread (5.1 million records), Betterment (1.4 million investment accounts), and multiple other organizations in early 2026. The group has refined voice phishing into a repeatable, scalable operation. They research targets in advance, know internal team structures and system names, and make calls that sound completely routine.

Once they had valid SSO credentials, they moved laterally through CarGurus' cloud systems, accessing customer databases, dealer management platforms, and finance application records. The entire operation, from initial phone call to data exfiltration, took less than two weeks before the data appeared on ShinyHunters' leak site.

Why Auto Finance Data Makes This Worse

Most data breaches expose names and email addresses. This one went further. The CarGurus dump includes auto finance pre qualification application data, which means attackers now have financial information tied to specific individuals. Combined with names, addresses, phone numbers, and email addresses, this creates a comprehensive profile that enables highly targeted financial fraud.

Someone who applied for auto financing through CarGurus and then receives a convincing email about their car loan, complete with their real name and address, will be far more likely to click than someone receiving a generic phishing message. The stolen data makes every follow up scam more believable.

ShinyHunters' 2026 Spree Continues

CarGurus is the latest in a string of high profile breaches attributed to ShinyHunters in 2026. The group has hit companies across retail, fintech, education, and automotive sectors, consistently using voice phishing as their initial access method. Google's Mandiant team has documented the group's expanding operations, noting that they combine social engineering with cloud exploitation techniques once inside a target's environment.

The pattern is clear: ShinyHunters does not need zero day exploits or sophisticated malware. A convincing phone call to the right employee is enough to compromise millions of customer records. The group's latest victim, identity protection company Aura, lost 900,000 records in under an hour using the same technique. Traditional security tools like firewalls and email filters are useless against an attacker who simply asks for the credentials.

What Affected Users Should Do

If you have ever used CarGurus, whether to browse listings, contact a dealer, or apply for financing, your personal data may now be in the hands of cybercriminals. Take these steps immediately:

• Change your CarGurus password and any other accounts where you used the same credentials
• Be skeptical of any emails, calls, or texts referencing car purchases, auto loans, or dealership offers, especially those that include your real name and address
• Monitor your credit reports for unauthorized inquiries, particularly auto loan applications filed in your name
• Consider placing a fraud alert or credit freeze with the major credit bureaus if you submitted finance applications through the platform
• Check Have I Been Pwned to confirm whether your email appears in the CarGurus breach dataset

The stolen data will circulate on criminal marketplaces for months. Phishing campaigns using this information may not appear immediately, but when they do, they will be personalized and convincing. Treat any unexpected communication about your vehicles or finances with extra caution.