CarGurus Breach: 12.5M Accounts Exposed

Overview

In February 2026, the popular automotive marketplace CarGurus suffered a significant data breach. A hacking group known as ShinyHunters targeted the company, stole user data, and later publicly released it after an attempted extortion. This breach compromised the personal information of over 12.4 million individuals. The exposed data is not limited to basic account details but also includes sensitive information submitted by users during vehicle financing processes.

What Was Exposed

The published data is extensive and was found across multiple files. The core personal information exposed includes:

• Email addresses
• Names
• Phone numbers
• IP addresses (which can reveal approximate location)

More critically, the breach also exposed data related to CarGurus’ services:

• User account ID mappings
• Dealer account and subscription information
• Finance pre-qualification application data, including application outcomes

Potential Impact

The exposure of email addresses, names, and phone numbers significantly increases the risk of targeted phishing attacks, smishing (SMS phishing), and spam. Criminals can use this information to craft convincing, personalized messages pretending to be from CarGurus, other automotive dealers, or financial institutions.

The inclusion of finance pre-qualification data and outcomes is particularly severe. This information could be used for more advanced fraud, such as targeted loan scams or identity theft attempts. IP addresses can help attackers build a more complete profile of a victim or attempt location-based scams. For dealers, exposed account details could lead to business email compromise attacks or fraudulent attempts to access their CarGurus seller accounts.

Recommendations

If you have ever used CarGurus, you should take the following steps immediately:

1. Change Your CarGurus Password: Immediately update your password on the CarGurus website and app. If you have used the same password on any other website, change it on those sites as well. Using a unique password for every account is critical.
2. Enable Two-Factor Authentication (2FA): If CarGurus offers two-factor authentication, enable it. This adds an essential extra layer of security to your account.
3. Be Extremely Wary of Phishing: Be suspicious of any unsolicited calls, texts, or emails referencing CarGurus, car loans, or your vehicle search. Do not click on links or provide personal information. Always contact the company directly through their official website.
4. Monitor Financial Accounts: Keep a close eye on your bank and credit card statements for any unauthorized activity. Consider placing a free fraud alert on your credit reports with the major bureaus (Equifax, Experian, TransUnion).
5. Use a Password Manager: A password manager helps you create and store strong, unique passwords for all your online accounts, preventing a breach on one site from compromising others.

How to Check If You’re Affected

The breach has been reported to the free notification service “Have I Been Pwned.” You can visit their website and enter your email address to check if it was included in this or any other known data breach. The direct link for this specific breach is: https://haveibeenpwned.com/Breach/CarGurus. If your email appears, you should follow the recommendations above.