CarGurus breach linked to ShinyHunters exposes 12.4 million records
NEWNow you can listen to News articles!
If you’ve ever searched for a car on CarGurus, your personal information could now be floating around online. A hacking group known as ShinyHunters has released what it claims are 12.4 million records taken from CarGurus, a popular car-buying platform used by millions of people each month.
The leaked data includes names, phone numbers, email addresses, physical addresses and even financial prequalification details. While most of the records have already been exposed in past incidents, around 3.7 million have recently been added to the pile. That means new data is now freely available for criminals to download.
Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.
149 MILLION PASSWORDS EXPOSED IN MASSIVE CREDENTIALS LEAK
A hacking group known as ShinyHunters claims to have leaked 12.4 million records linked to car-buying platform CarGurus. (Wei Leng Tay/Bloomberg via Getty Images)
What you need to know about the CarGurus breach
The group behind the leak, ShinyHunters, posted a 6.1GB file on February 21, claiming it came from CarGurus. The file allegedly contains 12.4 million user records linked to the US-based car shopping and research platform CarGurus.
CarGurus operates in the US, Canada and the UK, and its website attracts approximately 40 million monthly visitors. It allows you to compare vehicles, contact sellers and, in some cases, apply for financing.
According to Have I Been Pwned, which later added the dataset to its breach database, the exposed information includes email addresses, IP addresses, full names, phone numbers, physical addresses, account IDs, dealer details, subscription information, and financial prequalification application data, along with results.
Have I Been Pwned reports that around 70% of the data had already surfaced in previous breaches. Approximately 3.7 million records are new. CarGurus has not issued an official statement confirming the incident and did not respond to media requests for comment. ShinyHunters is known for leaking company data when bailout negotiations fail. The group has recently claimed responsibility for attacks on major telecommunications, retail, finance and technology brands.
How it works and why it is important to you
ShinyHunters typically gains access by tricking employees, not by breaking firewalls. In previous cases, the group used fake phone calls or login pages to convince staff to hand over credentials. Once inside, attackers can silently access cloud systems that store customer data.
In some campaigns, they also convinced employees to install malicious applications that granted access to customer databases. That means attackers could read the stored information without triggering obvious alarms. If this data set is legitimate, criminals now have detailed personal profiles linked to car purchasing and financing activity, which is valuable.
Financial prequalification data is especially sensitive. Even if you don’t include full Social Security numbers, it indicates that you were actively sharing financial details. That makes you a prime target for tracking scams, identity theft attempts, and fake loan offers. Because the data is publicly available for download, criminals don’t need much skill to start using it.
“We recently experienced a cybersecurity incident,” a CarGurus spokesperson told CyberGuy. “We responded quickly by securing the affected environment and are currently working with a leading cybersecurity company to investigate. Based on the investigation to date, we believe the activity has been contained and limited in scope. Additionally, at this time, there is no indication that dealer data, APIs, or core systems or products used by our consumers or dealer partners have been compromised. We remain fully operational and our services continue without interruption. We will notify any affected individuals in accordance with applicable laws.”
DATA BREACH EXPOSES THE INFORMATION OF 400,000 BANK CUSTOMERS
Seven Ways to Protect Yourself from CarGurus Infringement
Here’s what you can do right now to reduce your risk and stay ahead of potential scams related to this leak.
1) Check if your email and passwords are compromised
To see if your email was affected, visit Have I been fooled? haveibeenpwned.com. Enter your email address to see if your information appears in the CarGurus leak. When you’re done, come back here for Step 2.
The exposed data set reportedly includes names, emails, phone numbers, addresses and financial prequalification details. (Felix Zahn/Photothek via Getty Images)
2) Change your passwords immediately
Start with your most important accounts, such as email, medical, and banking. Use strong, unique passwords with letters, numbers, and symbols. Avoid predictable options like names or birthdays. Never reuse passwords. One stolen password can unlock multiple accounts. A password manager makes this simple. Stores complex passwords securely and helps you create new ones. Many administrators also check for breaches to see if their current passwords have been exposed. Use a password manager to generate unique, strong passwords for each account and store them securely. That way, if one account is exposed, criminals won’t be able to use the same password to access the rest of your accounts. Check out the best expert-reviewed password managers of 2026 at Cyberguy.com.
3) Reduce your online exposure with a data removal service
You may also consider a personal data deletion service. While no service can guarantee complete removal of your data from the Internet, a data deletion service is truly a smart choice. They are not cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically deleting your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to delete your personal data from the Internet. By limiting the information available, you reduce the risk of scammers cross-referencing leak data with information they can find on the dark web, making it harder for them to target you.
Check out my top picks for data removal services and get a free scan to find out if your personal information is already available on the web by visiting Cyberguy.com.
Get a free scan To find out if your personal information is already available on the web: Cyberguy.com.
4) Activate two-factor authentication
If CarGurus or your email provider offers two-factor authentication (2FA)enable it. This adds a second step, like a code sent to your phone, making it much harder for someone to access your account even if they have your password.
5) Be on the lookout for finance-related phishing scams
Be very careful with emails or text messages about auto loans, financing approvals, or dealer follow-ups. Do not click on links in unsolicited messages. Instead, contact the company directly using the official contact details found on their website. Additionally, use powerful antivirus software to block malicious links and downloads that often follow phishing campaigns. If attackers use this leaked data to send you infected attachments, antivirus protection adds another layer of defense.
Get my picks for the best antivirus protection winners of 2026 for your Windows, Mac, Android, and iOS devices at Cyberguy.com.
6) Check your credit reports
If you applied for financing, check your credit reports for unknown inquiries or new accounts. Early detection can help you stop identity theft before it spirals. Consider freezing credit if you see suspicious activity.
7) Consider identity theft protection
Identity theft protection services can monitor unusual activity related to your name, Social Security number, or financial accounts. They can quickly alert you if someone tries to open a new credit card in your name.
See my tips and top picks for the best identity theft protection at Cyberguy.com.
Security experts warn that the leaked information could be used for phishing scams, fake loan offers and identity theft. (iStock)
Kurt’s Key Takeaway
This incident highlights a problem larger than that of a single company. When platforms collect detailed financial and personal data, they become high-value targets. If the leaked data set is authentic, millions of people who were simply buying a car now face a higher risk of being scammed. CarGurus has not publicly confirmed any violations. Customers deserve clarity when sensitive financial application data may be involved. Silence only increases uncertainty.
Should companies that collect financial data be required to publicly confirm or deny violations within a certain time frame? Let us know by writing to us at Cyberguy.com.
CLICK HERE TO DOWNLOAD THE News APP
Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.
Copyright 2026 CyberGuy.com. All rights reserved.
Kurt “CyberGuy” Knutsson is an award-winning technology journalist with a deep love for technology, gear and gadgets that improve lives with his contributions to News and News Business since mornings on “News & Friends.” Do you have any technical questions? Get Kurt’s free CyberGuy newsletter, share your voice, a story idea or comment on CyberGuy.com.