TL;DR

  • ShinyHunters extortion group exposed 12.4 million CarGurus user records in February 2026
  • 70% of the leaked data was new to breach databases — meaning these victims hadn't been exposed in previous incidents
  • The breach illustrates how third-party platforms handling customer data become high-value targets
  • Every business sharing customer data with external platforms needs a third-party risk strategy

Related: Supply Chain Attacks Explained​‌‌​​​‌‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌‌‌​​‌‍​‌‌​‌​​​‍​‌‌‌​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

The Breach: What Happened

In February 2026, notorious extortion group ShinyHunters published a 6.1GB archive allegedly stolen from CarGurus, a digital auto marketplace operating across the US, Canada, and the UK [1]. The breach exposed 12.4 million user records containing:

  • Email addresses
  • Physical addresses
  • Phone numbers
  • Names
  • IP addresses [2]

According to Have I Been Pwned, approximately 70% of these records were new to their database — indicating that most victims hadn't been compromised in previously publicized breaches [3].​‌‌​​​‌‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌‌‌​​‌‍​‌‌​‌​​​‍​‌‌‌​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌

‌​​​‌​‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

CarGurus attracts an estimated 40 million monthly visitors and facilitates vehicle searches, price comparisons, and financing applications [4]. That's a lot of trust placed in one platform.

Why This Matters for Your Business

Your business might not be CarGurus. But if you share customer data with any external platform — payment processors, CRMs, marketing tools, industry databases — you face the same risk pattern.

Here's what makes this breach representative of a growing threat:

1. Extortion Over Encryption

ShinyHunters exemplifies the shift from traditional ransomware (encrypting systems) to data extortion (stealing data and threatening to leak it) [5]. Rather than disrupting operations, attackers steal sensitive data and use publication as leverage. If the victim refuses to pay, the data gets dumped publicly.

This tactic is particularly effective against businesses that maintain clean backups and can quickly restore encrypted systems. The threat isn't operational disruption — it's regulatory fines, reputational damage, and customer trust erosion.

2. Third-Party Platforms as Attack Targets

Attackers don't always target businesses directly. They target the platforms that aggregate data from multiple businesses. A single breach at a payment processor, industry database, or SaaS platform can expose customers across thousands of businesses.

According to IBM's 2024 Cost of a Data Breach Report, breaches involving third parties cost significantly more and take longer to contain — averaging $4.45 million versus $4.24 million for direct breaches [6].

3. The "New Data" Problem

The fact that 70% of CarGurus records were new to Have I Been Pwned is telling. It means these customers hadn't been alerted through previous breach notifications. They likely had no idea their data was at risk until this leak.

For businesses, this underscores a harsh reality: your customers' data might be exposed through platforms you use, even if your own security is solid.

The ShinyHunters Pattern

ShinyHunters has been active since 2020, targeting organizations across multiple sectors:

  • Dutch telecommunications provider Odido — 6.2 million customer records exposed [7]
  • Ad tech firm Optimizely — vishing incident and data exposure [8]
  • Multiple SaaS platforms — credential theft and database extortion

Their typical playbook:

  1. Exploit weak access controls or compromised credentials
  2. Exfiltrate data stealthily
  3. Initiate extortion negotiations
  4. Publish data publicly if payment isn't made

This group isn't technically sophisticated — they're not using zero-day exploits or advanced tooling. They're finding weak entry points and exploiting the fact that many organizations over-collect data and under-protect it.

Related: Vendor Breaches and Dwell Time

Your Third-Party Risk Checklist

You can't eliminate third-party risk — your business depends on external platforms. But you can manage it strategically.

Before Sharing Data

  • Ask for a data inventory: What personal information does the platform store? How long do they retain it? Who has access?
  • Review their security posture: Do they have ISO 27001 certification? SOC 2 Type II? Independent security assessments?
  • Verify data encryption: Is data encrypted at rest and in transit? What key management practices do they use?
  • Understand their breach history: Have they had previous incidents? How did they respond?

Contractual Protections

  • Limit data scope: Share only the minimum data required for the service to function
  • Define retention periods: Require automatic deletion after a specified period
  • Specify breach notification timelines: 24-48 hours is reasonable for critical incidents
  • Establish liability caps: Ensure their responsibility for data loss is clearly defined

Ongoing Monitoring

  • Require annual security reviews: Ask for updated SOC 2 reports or penetration test results
  • Monitor dark web mentions: Services like Have I Been Pwned can alert you if your business credentials appear
  • Track vendor security bulletins: Subscribe to security updates from all critical vendors
  • Conduct periodic access reviews: Revoke access for former employees and unused integrations

Response Planning

  • Maintain a vendor incident playbook: Know exactly who to contact and what steps to take if a vendor reports a breach
  • Prepare customer notification templates: Draft breach notices in advance so you can respond quickly
  • Designate a response team: Assign clear roles for legal, communications, and technical response
  • Test your plan: Run tabletop exercises simulating vendor breaches

The ROI of Third-Party Risk Management

Investing in vendor risk management isn't a cost center — it's risk reduction with measurable returns. According to Gartner, organizations with mature third-party risk programs experience:

  • 40% fewer security incidents involving vendors
  • 50% faster containment of vendor-related breaches
  • 60% lower regulatory fine amounts when breaches occur [9]

The alternative is reacting to incidents after they happen — when your only options are damage control and apology.

FAQ

Third-party risk is the potential for data breaches, service disruptions, or compliance failures caused by external vendors, suppliers, or service providers that handle your business data or systems.

Ask for security documentation (SOC 2, ISO 27001), review their breach history, verify they encrypt data, and require annual security assessments. For critical vendors, consider independent penetration testing.

Immediately activate your incident response plan: notify affected customers, reset credentials for exposed accounts, monitor for fraudulent activity, and document all response steps for regulatory reporting.

No platform is 100% safe. The goal is to minimize risk by selecting vendors with strong security practices, limiting the data you share, and preparing response plans for when incidents occur.

Costs vary by business size and vendor count, but basic measures — security questionnaires, contract reviews, and annual assessments — typically cost $5,000–$20,000 annually for SMBs. This is far less than the average breach cost of $4.45 million.

References

[1] eSecurity Planet, "12.4 Million Accounts Exposed in CarGurus Leak," eSecurity Planet, March 2026. [Online]. Available: https://www.esecurityplanet.com/threats/12-4-million-accounts-exposed-in-cargurus-leak/

[2] Have I Been Pwned, "CarGurus Data Breach," Have I Been Pwned, 2026. [Online]. Available: https://haveibeenpwned.com/Breach/CarGurus

[3] T. Hunt, "Have I Been Pwned," X (Twitter), February 2026.

[4] CarGurus, "CarGurus Corporate Profile," CarGurus Investor Relations, 2026. [Online]. Available: https://investors.cargurus.com

[5] BleepingComputer, "CarGurus Data Breach Exposes Information of 12.4 Million Accounts," BleepingComputer, March 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/cargurus-data-breach-exposes-information-of-124-million-accounts/

[6] IBM Security, "Cost of a Data Breach Report 2024," IBM, 2024. [Online]. Available: https://www.ibm.com/reports/data-breach

[7] eSecurity Planet, "Odido CRM Data Breach Exposes 6.2M Customer Records," eSecurity Planet, 2026. [Online]. Available: https://www.esecurityplanet.com/threats/odido-crm-data-breach-exposes-6-2m-customer-records/

[8] eSecurity Planet, "Ad Tech Firm Optimizely Investigating Vishing Incident," eSecurity Planet, 2026. [Online]. Available: https://www.esecurityplanet.com/threats/ad-tech-firm-optimizely-investigates-vishing-incident/

[9] Gartner, "Third-Party Risk Management Benchmark Report," Gartner, 2025. [Online]. Available: https://www.gartner.com/en/risk-management/third-party-risk

Your business depends on vendors and partners. Make sure their security practices protect your customers, not expose them. Book a consultation at consult.lil.business to build a third-party risk strategy that works.

TL;DR

  • A website called CarGurus had 12.4 million customer records stolen and published online
  • This happened because hackers found a way to break into their computer systems
  • It teaches us that when we share information with companies, we're trusting them to keep it safe
  • Businesses need to be careful about which companies they share customer data with

What Is a Data Breach?

Imagine you write a secret note and give it to a friend to keep safe. You trust your friend to hide it where nobody else can find it.

A data breach is like someone breaking into your friend's house and finding that secret note. Now your secret isn't secret anymore.

When businesses use computers to store customer information — things like names, addresses, phone numbers, and email addresses — they have to keep it safe from hackers. A data breach happens when hackers break in and steal that information.

What Happened at CarGurus?

CarGurus is a website where people go to buy and sell cars. It's like a big online car marketplace where millions of people search for vehicles, compare prices, and apply for loans.

In February 2026, a group of hackers called ShinyHunters broke into CarGurus' computer systems and stole information about 12.4 million customers [1]. That's more people than live in entire countries like Switzerland or Austria!

The stolen information included:

  • Names
  • Email addresses
  • Phone numbers
  • Home addresses
  • Some financing information [2]

Then the hackers did something scary: they published all this information online, where anyone could see it.

Why This Matters for Your Business

If you run a business, you probably share customer information with other companies. Here are some examples:

  • Payment processors like Stripe or PayPal handle credit card information
  • Email marketing tools like Mailchimp store customer email addresses
  • CRM software like Salesforce keeps customer contact details
  • Industry platforms might share customer data with partners

When you share information with these companies, you're trusting them to keep it safe. If one of them gets hacked — like CarGurus did — your customers' information could be exposed too.

Think of it like lending your favorite book to a friend. If your friend leaves it on the bus and someone steals it, that's not your fault — but you've still lost your book.

The "Key Under the Mat" Problem

Imagine you hide a spare key to your house under the doormat in case you lock yourself out. It's convenient, but it also means anyone who finds that key can get inside.

Many businesses share customer information with lots of different companies because it's convenient. Each company is like another key under the mat. The more keys you have, the more chances someone has to find one and break in.

Here's why this is risky:

You can't control someone else's security. You might have excellent locks on your doors, but if you give a key to someone who leaves theirs under a flowerpot, your house still isn't secure.

You might not know when something goes wrong. If a company you work with gets hacked, you might not find out until weeks or months later.

Your customers trust you, not your vendors. When customers give you their information, they're trusting YOU to keep it safe — even if you end up sharing it with other companies.

How to Protect Your Customers

You can't eliminate all risk — doing business online means sharing information sometimes. But you CAN be smart about which companies you trust with customer data.

Choose Partners Carefully

Before sharing customer information with any company, ask yourself:

  • Do they really need this information to do their job?
  • What happens to the information when they're done with it?
  • Have they had security problems before?
  • Do they have security certifications (like SOC 2 or ISO 27001)?

Share Only What's Necessary

If a newsletter service only needs email addresses, don't give them phone numbers too. If a payment processor only needs billing addresses, don't give them customer birthdays.

Think of it like this: if you're hiring a dog walker, you give them a key to your house — but not the code to your safe. They only need access to what they're actually helping with.

Make a Plan Before Something Happens

Waiting until after a breach happens to figure out what to do is like waiting until your house catches fire to buy a smoke detector.

Have a plan ready:

  • Which customers do we need to notify?
  • What do we tell them?
  • How do we help them protect themselves?
  • Who is responsible for what?

What Your Customers Can Do

If your customers' data was exposed in a breach (like the CarGurus one), here's what they should do:

  1. Change their passwords — especially if they used the same password on multiple websites
  2. Enable two-factor authentication — this adds an extra layer of security, like requiring both a password and a code sent to their phone
  3. Watch for suspicious messages — hackers might use stolen information to send fake emails or texts pretending to be from real companies
  4. Check their credit reports — if financial information was stolen, they should look for any accounts or loans they didn't open

The Big Lesson

The CarGurus breach teaches us something important: when you share information with another company, their security becomes YOUR security problem.

You wouldn't hand your wallet to someone you don't know and walk away. So be careful about which companies you hand your customers' information to — and what information you share.

Because when something goes wrong, your customers will look to YOU, not the company you trusted.

FAQ

A data breach is when hackers break into a company's computer systems and steal information. It's like a burglar breaking into a house and stealing valuable items.

Hackers can use stolen information to pretend to be other people, access their accounts, or trick them into giving away more information (like passwords or bank details). They can also sell the information to other criminals.

Look for security certifications like SOC 2 or ISO 27001, ask about their security practices, and check if they've had breaches before. Companies that take security seriously will be happy to talk about it.

Change your passwords, enable two-factor authentication, watch for suspicious messages, and consider freezing your credit reports if financial information was exposed.

Not really — most businesses need to use some third-party services to operate. The goal is to choose carefully and share only what's necessary, not to eliminate all third parties.

References

[1] eSecurity Planet, "12.4 Million Accounts Exposed in CarGurus Leak," eSecurity Planet, March 2026. [Online]. Available: https://www.esecurityplanet.com/threats/12-4-million-accounts-exposed-in-cargurus-leak/

[2] Have I Been Pwned, "CarGurus Data Breach," Have I Been Pwned, 2026. [Online]. Available: https://haveibeenpwned.com/Breach/CarGurus

[3] BleepingComputer, "CarGurus Data Breach Exposes Information of 12.4 Million Accounts," BleepingComputer, March 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/cargurus-data-breach-exposes-information-of-124-million-accounts/

Choosing the right partners is part of protecting your customers. Book a consultation at consult.lil.business to build a security strategy that covers your entire business ecosystem.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation