CarGurus breach linked to ShinyHunters exposes 12.4M records

written by Kurt Knutsson
Data breach alert on CarGurus platform
At a glance
  • Hackers claim to have leaked 12.4 million CarGurus records online.
  • The exposed data includes names, emails, phone numbers and finance pre-qualification details.
  • About 3.7 million records appear to be newly exposed, while the rest were seen in earlier breaches.
  • Experts warn the data could fuel phishing scams, fake loan offers and identity theft.

 

If you’ve ever searched for a car on CarGurus, your personal information could now be circulating online. A hacking group known as ShinyHunters has published what it claims are 12.4 million records taken from CarGurus, a popular auto shopping platform used by millions of people each month.

The leaked data includes names, phone numbers, email addresses, physical addresses, and even finance pre-qualification details. While most of the records were already exposed in past incidents, about 3.7 million are newly added to the pile. That means fresh data is now freely available for criminals to download.

 

 

A person is using a laptop with Google open

 

What you need to know about the CarGurus breach

The group behind the leak, ShinyHunters, published a 6.1GB file on February 21, claiming it came from CarGurus. The file allegedly contains 12.4 million user records tied to the U.S.-based auto research and shopping platform CarGurus.

CarGurus operates in the U.S., Canada, and the U.K., and its website attracts an estimated 40 million monthly visitors. It allows you to compare vehicles, contact sellers, and, in some cases, apply for financing.

According to Have I Been Pwned, which later added the dataset to its breach database, the exposed information includes email addresses, IP addresses, full names, phone numbers, physical addresses, account IDs, dealer details, subscription information, and finance pre-qualification application data, along with outcomes.

Have I Been Pwned reports that about 70% of the data had already appeared in previous breaches. Roughly 3.7 million records are new. CarGurus has not released an official statement confirming the incident and did not respond to media requests for comment. ShinyHunters is known for leaking company data when ransom negotiations fail. The group has recently claimed attacks on major brands across telecom, retail, finance, and tech.

A person is using a laptop\

 

How it works and why it matters to you

ShinyHunters typically gains access by tricking employees, not by smashing through firewalls. In past cases, the group used phone calls or fake login pages to convince staff to hand over credentials. Once inside, attackers can quietly access cloud systems that store customer data.

In some campaigns, they also convinced employees to install malicious apps that granted access to customer databases. That means attackers could read stored information without triggering obvious alarms. If this dataset is legitimate, criminals now have detailed personal profiles tied to car shopping and financing activity, which is valuable.

Finance pre-qualification data is especially sensitive. Even if it does not include full Social Security numbers, it signals that you were actively sharing financial details. That makes you a prime target for follow-up scams, identity theft attempts, and fake loan offers. Because the data is publicly available for download, it does not take much skill for criminals to start using it.

We reached out to CarGurus for comment, and a spokesperson provided CyberGuy with the following statement,

“We recently experienced a cybersecurity incident. We promptly responded by securing the affected environment, and we are currently working with a leading cybersecurity firm to investigate. Based on the investigation to date, we believe the activity has been contained and limited in scope. Also, at this time, there are no indications that dealer data feeds, APIs, or core systems or products used by our consumers or dealer partners have been compromised. We remain fully operational, and our services continue without interruption. We will notify any affected individuals in accordance with applicable laws.”

A person is using a laptop

 

7 ways you can protect yourself from the CarGurus breach

Here’s what you can do right now to reduce your risk and stay ahead of potential scams tied to this leak.

 

1) Check if your email and passwords are compromised

To see if your email was affected, visit Have I Been Pwned.  Enter your email address to find out if your information appears in the CarGurus leak. When done, come back here for Step 2.

 

2) Change your passwords immediately

Start with your most important accounts, such as email, medical and banking. Use strong, unique passwords with letters, numbers, and symbols. Avoid predictable choices like names or birthdays. Never reuse passwords. One stolen password can unlock multiple accounts.  A password manager makes this simple. It stores complex passwords securely and helps you create new ones. Many managers also scan for breaches to see if your current passwords have been exposed. Use a password manager to generate strong, unique passwords for every account and store them securely. That way, if one account is exposed, criminals can’t use the same password to access the rest of your accounts.  Our #pick is Nordpass (save 52% wih our offer).

 

3) Reduce your online exposure with a data removal service

You can also consider a personal data removal service. While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.

Incogni, a service I trust 100% and use myself, helps automate the process by submitting removal requests to hundreds of data brokers and people-search sites on your behalf.

Incogni automatically contacts data brokers on your behalf and requests the removal of your personal information. It also continues monitoring those sites and submits new removal requests if your data reappears.

  • Incogni currently removes personal data from 420+ data broker and people-search websites, and its Unlimited plan allows you to request removals from as many additional sites as you need.
  • Incogni has also received third-party assurance from Deloitte, validating its marketing claims.
  • The goal is simple: make it much harder for strangers, scammers, and cybercriminals to find your personal information online.

CyberGuy Exclusive: 60% off

CyberGuy readers get 60% off Incogni’s annual plans using the links in this article.

The service also includes a 30-day money-back guarantee, so you can try it risk-free and see how much of your information is exposed online.

Get Incogni and remove your info
Get Incogni’s Family Plan

   

 

Is your personal information exposed online?

Run a free scan to see if your personal info is compromised. Results arrive by email in about an hour.

 

4) Turn on two-factor authentication

If CarGurus or your email provider offers two-factor authentication (2FA), enable it. This adds a second step, like a code sent to your phone, making it much harder for someone to access your account even if they have your password.

 

5) Watch for finance-related phishing scams

Be extra cautious with emails or texts about car loans, financing approvals, or dealership follow-ups. Do not click links in unsolicited messages. Instead, contact the company directly using the official contact details you find on their website. Also, use strong antivirus software to block malicious links and downloads that often follow phishing campaigns. If attackers use this leaked data to target you with infected attachments, antivirus protection adds another layer of defense.

 

6) Monitor your credit reports

If you applied for financing, check your credit reports for unfamiliar inquiries or new accounts. Early detection can help you stop identity theft before it spirals. Consider placing a credit freeze if you see suspicious activity.

 

7) Consider identity theft protection

Identity theft protection services can monitor for unusual activity tied to your name, Social Security number, or financial accounts. They can alert you quickly if someone tries to open a new credit card in your name.

 

 

Related Links: 

 

 

Kurt’s key takeaway

This incident highlights a bigger issue than just one company. When platforms collect detailed financial and personal data, they become high-value targets. If the leaked dataset is authentic, millions of people who were simply shopping for a car now face increased risk of scams. CarGurus has not publicly confirmed a breach. Customers deserve clarity when sensitive financial application data may be involved. Silence only increases uncertainty.

Should companies that collect financing data be required to publicly confirm or deny breaches within a set timeframe? Let us know in the comments below. 

 

 

FOR MORE OF MY TECH TIPS & SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE

Copyright 2026 CyberGuy.com. All rights reserved. CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.