CarGurus breach linked to ShinyHunters exposes 12.4M records

The leaked data includes names, phone numbers, email addresses, physical addresses and even finance pre-qualification details. While most of the records were already exposed in past incidents, about 3.7 million are newly added to the pile. That means fresh data is now freely available for criminals to download.

Sign up for my FREE CyberGuy ReportGet my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide - free when you join my CYBERGUY.COM newsletter.

The group behind the leak, ShinyHunters, published a 6.1GB file on Feb. 21, claiming it came from CarGurus. The file allegedly contains 12.4 million user records tied to the U.S.-based auto research and shopping platform CarGurus.

CarGurus operates in the U.S., Canada and the U.K., and its website attracts an estimated 40 million monthly visitors. It allows you to compare vehicles, contact sellers, and, in some cases, apply for financing.

According to Have I Been Pwned, which later added the dataset to its breach database, the exposed information includes email addresses, IP addresses, full names, phone numbers, physical addresses, account IDs, dealer details, subscription information and finance pre-qualification application data, along with outcomes.

Have I Been Pwned reports that about 70% of the data had already appeared in previous breaches. Roughly 3.7 million records are new. CarGurus has not released an official statement confirming the incident and did not respond to media requests for comment. ShinyHunters is known for leaking company data when ransom negotiations fail. The group has recently claimed attacks on major brands across telecom, retail, finance, and tech.

ShinyHunters typically gains access by tricking employees, not by smashing through firewalls. In past cases, the group used phone calls or fake login pages to convince staff to hand over credentials. Once inside, attackers can quietly access cloud systems that store customer data.

In some campaigns, they also convinced employees to install malicious apps that granted access to customer databases. That means attackers could read stored information without triggering obvious alarms. If this dataset is legitimate, criminals now have detailed personal profiles tied to car shopping and financing activity, which is valuable.

"We recently experienced a cybersecurity incident," a CarGurus spokesperson told CyberGuy. "We promptly responded by securing the affected environment, and we are currently working with a leading cybersecurity firm to investigate. Based on the investigation to date, we believe the activity has been contained and limited in scope. Also, at this time, there are no indications that dealer data feeds, APIs, or core systems or products used by our consumers or dealer partners have been compromised. We remain fully operational, and our services continue without interruption. We will notify any affected individuals in accordance with applicable laws."

Here's what you can do right now to reduce your risk and stay ahead of potential scams tied to this leak.

To see if your email was affected, visit Have I Been Pwned at haveibeenpwned.com. Enter your email address to find out if your information appears in the CarGurus leak. When done, come back here for Step 2.

Start with your most important accounts, such as email, medical and banking. Use strong, unique passwords with letters, numbers and symbols. Avoid predictable choices like names or birthdays. Never reuse passwords. One stolen password can unlock multiple accounts.  A password manager makes this simple. It stores complex passwords securely and helps you create new ones. Many managers also scan for breaches to see if your current passwords have been exposed. Use a password manager to generate strong, unique passwords for every account and store them securely. That way, if one account is exposed, criminals can't use the same password to access the rest of your accounts. Check out the best expert-reviewed password managers of 2026 at Cyberguy.com.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com.

Get a free scan to find out if your personal information is already out on the web: Cyberguy.com.

Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android and iOS devices at Cyberguy.com.

If you applied for financing, check your credit reports for unfamiliar inquiries or new accounts. Early detection can help you stop identity theft before it spirals. Consider placing a credit freeze if you see suspicious activity.

Identity theft protection services can monitor for unusual activity tied to your name, Social Security number, or financial accounts. They can alert you quickly if someone tries to open a new credit card in your name.

See my tips and best picks on Best Identity Theft Protection at Cyberguy.com.

This incident highlights a bigger issue than just one company. When platforms collect detailed financial and personal data, they become high-value targets. If the leaked dataset is authentic, millions of people who were simply shopping for a car now face increased risk of scams. CarGurus has not publicly confirmed a breach. Customers deserve clarity when sensitive financial application data may be involved. Silence only increases uncertainty.

Should companies that collect financing data be required to publicly confirm or deny breaches within a set timeframe?  Let us know by writing to us at Cyberguy.com.

Sign up for my FREE CyberGuy Report Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide - free when you join my CYBERGUY.COM newsletter.

Copyright 2026 CyberGuy.com. All rights reserved.