CarGurus data breach exposes 12.4 million user records online in hack
NEWYou can now listen to Fox News articles!
If you’ve ever searched for a car on CarGurus, your personal information could now be circulating online. A hacking group known as ShinyHunters has released what it claims are 12.4 million records from CarGurus, a popular car-buying platform used by millions of people each month.
The leaked data includes names, phone numbers, email addresses, physical addresses and even financial pre-qualification details. While most of the files have already been exposed in past incidents, approximately 3.7 million have just been added to the pile. This means new data is now freely available for criminals to download.
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive offers straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM bulletin.
149 MILLION PASSWORDS EXPOSED IN MASSIVE CREDENTIAL LEAK
A hacker group known as ShinyHunters claims to have leaked 12.4 million records linked to car buying platform CarGurus. (Wei Leng Tay/Bloomberg via Getty Images)
What You Need to Know About CarGurus Breach
The group behind the leak, ShinyHunters, posted a 6.1 GB file on February 21, claiming it came from CarGurus. The file reportedly contains 12.4 million user records linked to the American car research and purchasing platform CarGurus.
CarGurus operates in the United States, Canada and the United Kingdom, and its website attracts approximately 40 million monthly visitors. It allows you to compare vehicles, contact sellers and, in some cases, request financing.
According to Have I Been Pwned, which later added the dataset to its breach database, the exposed information includes email addresses, IP addresses, full names, phone numbers, physical addresses, account identifiers, dealer details, subscription information and financial pre-qualification request data, as well as results.
Have I Been Pwned reports that around 70% of the data had already appeared in previous breaches. About 3.7 million records are new. CarGurus has not released an official statement confirming the incident and has not responded to media requests for comment. ShinyHunters is known to leak corporate data when ransom negotiations fail. The group has recently claimed responsibility for attacks on major brands in the telecommunications, retail, financial and technology sectors.
How it works and why it matters to you
ShinyHunters typically gains access by tricking employees, not by breaching firewalls. In the past, the group has used phone calls or fake login pages to convince staff to hand over their credentials. Once inside, attackers can stealthily access cloud systems that store customer data.
In some campaigns, they also convinced employees to install malicious applications that gave access to customer databases. This means that attackers could read the stored information without triggering obvious alarms. If this data set is legitimate, criminals now have detailed personal profiles related to car purchasing and financing activities, which is valuable.
Financial pre-qualification data is particularly sensitive. Even if it doesn’t include full Social Security numbers, it indicates that you are actively sharing financial details. This makes you a prime target for scams, identity theft attempts, and fake loan offers. Since the data is publicly available and downloadable, criminals don’t need much skill to start using it.
“We recently experienced a cybersecurity incident,” a CarGurus spokesperson told CyberGuy. “We quickly responded by securing the affected environment and are currently working with a leading cybersecurity firm to investigate. Based on the investigation to date, we believe the activity has been contained and limited in scope. Additionally, at this time, there is no indication that dealer data feeds, APIs, or core systems or products used by our consumers or dealer partners have been compromised. We remain fully operational and our services continue without interruption. We will notify all the persons concerned in accordance with applicable laws.
DATA BREACH EXPOSES INFORMATION OF 400,000 BANK CUSTOMERS
7 Ways to Protect Yourself from CarGurus Breach
Here’s what you can do right now to reduce your risks and stay ahead of potential scams linked to this leak.
1) Check if your email and passwords are compromised
To see if your email address has been affected, visit Have I been pwned to haveibeenpwned.com. Enter your email address to see if your information appears in the CarGurus leak. Once finished, come back here for step 2.
The exposed dataset would include names, email addresses, phone numbers, addresses and financial pre-qualification details. (Félix Zahn/Photothek via Getty Images)
2) Change your passwords immediately
Start with your most important accounts, such as email, medical accounts, and bank accounts. Use strong, unique passwords containing letters, numbers and symbols. Avoid predictable choices like names or birthdays. Never reuse passwords. A stolen password can unlock multiple accounts. A password manager makes things simple. It stores complex passwords securely and helps you create new ones. Many managers also scan for breaches to see if your current passwords have been exposed. Use a password manager to generate strong, unique passwords for each account and store them securely. This way, if one account is exposed, criminals can’t use the same password to access the rest of your accounts. Discover the Best Expert-Rated Password Managers of 2026 at Cyberguy.com.
3) Reduce your online exposure with a data removal service
You may also consider a personal data deletion service. Although no service can guarantee the complete removal of your data from the Internet, a data deletion service is definitely a wise choice. They’re not cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically deleting your personal information across hundreds of websites. This is what gives me peace of mind and has proven to be the most effective way to erase your personal data from the Internet. By limiting the information available, you reduce the risk of fraudsters cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.
Check out my top picks for data deletion services and get a free scan to find out if your personal information is already available on the web by visiting Cyberguy.com.
Get a free analysis to find out if your personal information is already available on the web: Cyberguy.com.
4) Enable two-factor authentication
If CarGurus or your email provider offers two-factor authentication (2FA)activate it. This adds a second step, like a code sent to your phone, making it much harder for someone to access your account even if they know your password.
5) Watch for finance-related phishing scams
Be very careful with emails or text messages regarding car loans, financing approvals, or follow-ups at the dealership. Do not click on links in unsolicited messages. Instead, contact the company directly using the official contact information you find on its website. Also use strong antivirus software to block malicious links and downloads that often follow phishing campaigns. If attackers use this leaked data to target you with infected attachments, antivirus protection adds another layer of defense.
Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android, and iOS devices at Cyberguy.com.
6) Monitor your credit reports
If you have applied for financing, check your credit reports for unknown inquiries or new accounts. Early detection can help you stop identity theft before it escalates. Consider freezing credit if you notice suspicious activity.
7) Consider identity theft protection
Identity theft protection services may monitor unusual activity related to your name, Social Security number, or financial accounts. They can quickly alert you if someone tries to open a new credit card in your name.
Check out my tips and top picks on the best identity theft protection at Cyberguy.com.
Security experts warn that the leaked information could be used for phishing, fake loan offers and identity theft. (iStock)
Kurt’s key point
This incident highlights a problem larger than just one company. When platforms collect detailed financial and personal data, they become high-value targets. If all of the leaked data is genuine, millions of people who were simply buying a car now face an increased risk of fraud. CarGurus has not publicly confirmed a violation. Customers deserve clarity when sensitive data from financial applications may be involved. Silence only increases uncertainty.
Should companies that collect financing data be required to publicly confirm or deny violations within a defined time frame? Let us know by writing to us at Cyberguy.com.
CLICK HERE TO DOWNLOAD THE FOX NEWS APP
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive offers straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM bulletin.
Copyright 2026 CyberGuy.com. All rights reserved.
