CarGurus Breach: 12.5M Accounts Exposed

Overview

On February 12, 2026, threat actor ShinyHunters publicly released a dataset containing over 12 million CarGurus user records. The breach, which targeted the automotive marketplace, included email addresses, names, phone numbers, and IP addresses across multiple files. After an attempted extortion against CarGurus failed, ShinyHunters published the data on a public forum, where it quickly circulated among credential-stuffing and phishing groups.

The breach was confirmed when the dataset appeared on Have I Been Pwned (HIBP), the independent breach notification service. CarGurus has not yet issued a public statement confirming the full scope, but security researchers have verified the authenticity of the leaked records.

What Was Exposed

The leaked database contained four distinct types of personal data:

• Email Addresses: Over 12 million unique email addresses tied to user accounts.
• Names: Full names of registered users.
• Phone Numbers: Mobile and landline numbers linked to accounts.
• IP Addresses: The IP address from which each user last accessed CarGurus, along with associated timestamps.

Notably, no financial data, social security numbers, or vehicle-specific purchase details were included. However, the combination of email, phone, and IP address is highly valuable for identity theft and account takeover attacks.

How the Breach Happened

ShinyHunters, a known threat actor with a history of targeting e-commerce platforms, claimed responsibility for the intrusion. According to their public statements, the group exploited a misconfigured internal API endpoint that allowed them to scrape user account data without authentication. The attack vector appears to involve compromised credentials or a SQL injection vulnerability found during reconnaissance.

CarGurus is believed to have been notified several weeks before the public release, but ShinyHunters published the data after their extortion demands went unmet. The compromise did not involve customer payment systems or dealer backend databases, but the user-facing platform’s account data was fully exposed.

Who’s Actually Affected

The 12.4 million records affect anyone who created a CarGurus account — not just past or current customers, but also users who registered for saved searches, price alerts, or dealer inquiries. The breach also exposes dormant accounts and old data that may still be linked to recycled passwords.

Users who never received a breach notification from CarGurus should still verify their exposure independently, as the company has not confirmed whether it will notify all affected individuals.

What to Do Right Now

If you have a CarGurus account, take these steps immediately:

1. Change Your Password: Update your CarGurus password to a strong, unique one immediately. Do not reuse passwords from other sites.
2. Enable Multi-Factor Authentication (MFA): If CarGurus offers MFA, enable it. If not, remain cautious about account activity.
3. Beware of Phishing: Expect targeted phishing emails pretending to be from CarGurus, as attackers now have your email, name, and phone number. Never click links in unsolicited messages without verifying the sender.
4. Monitor for SIM Swapping: With both your phone number and email exposed, criminals may attempt SIM-swapping. Contact your mobile carrier to add a PIN or extra verification to your account.

How to Check If You’re Affected

You can check if your email address was included in this breach using Have I Been Pwned: https://haveibeenpwned.com/Breach/CarGurus. Enter your email address to see if it appears in the CarGurus dataset.

If your email is listed, assume all associated data (name, phone, IP) was also exposed.

Security Insight

This breach mirrors a pattern seen in other ShinyHunters attacks: the group targets companies with weak API security, scrapes user data, then leaks it when extortion fails. CarGurus, like many automotive platforms, appears to have treated user account data as low-value — not realizing that a name, email, and phone number is a complete identity theft profile. The lesson is clear: any user-facing API that can return account-level data must be secured, rate-limited, and monitored, regardless of whether it touches financial systems. Companies handling consumer PII — even without payment data — should treat every endpoint as a potential target.

Further Reading

• All Critical Breaches
• Recent Data Breaches