CarGurus Data Breach Exposes Information of 12.5 Million Users

Published: 25 Feb 2026

Online automotive marketplace CarGurus has suffered a major data breach that compromised the personal information of approximately 12.5 million user accounts. The incident was disclosed by breach notification service Have I Been Pwned, which linked the attack to the ShinyHunters hacking group. Exposed data includes names, email addresses, phone numbers, and physical addresses, raising concerns about identity theft and phishing risks.

What Information Was Compromised

According to Have I Been Pwned, the leaked dataset contains a wide range of sensitive records. These include user account ID mappings, customer finance pre-qualification details, and dealer-related information such as subscription data. While no payment card details were mentioned, the breadth of personal and account-level data significantly increases potential misuse.

Who Is Behind the Breach

The breach has been attributed to ShinyHunters, a well-known cybercriminal group with a history of large-scale data theft. The group is notorious for using social engineering tactics, often impersonating employees to deceive help desks into resetting passwords. ShinyHunters has previously claimed responsibility for attacks affecting universities and major enterprise platforms, resulting in the exposure of vast amounts of customer data.

Disclosure and Investigation

The breach was publicly reported by Have I Been Pwned, which is operated by security researcher Troy Hunt. At the time of reporting, CarGurus had not issued a public statement confirming the breach or outlining remediation steps. Media outlets have contacted the company for comment, and updates are expected if an official response is released.

A Broader Pattern in the Auto Sector

This incident marks the second major automotive-related data exposure highlighted this year. Previously, data allegedly linked to CarMax surfaced online following a failed extortion attempt, affecting hundreds of thousands of customers. Together, these incidents underscore growing cybersecurity challenges faced by digital platforms in the automotive industry.

What Users Should Do

Affected users are advised to remain vigilant for phishing emails or scam calls, avoid clicking on suspicious links, and consider changing passwords associated with their CarGurus accounts. Monitoring accounts through breach notification services can also help users stay informed if their data appears in future leaks.

The CarGurus breach highlights the continuing risks posed by sophisticated cybercriminal groups and the importance of stronger security and faster transparency when customer data is exposed.

Source:

Tech Crunch

Tech to Future Team Avatar

The Tech to Future Team is a dynamic group of passionate tech enthusiasts, skilled writers, and dedicated researchers. Together, they dive into the latest advancements in technology, breaking down complex topics into clear, actionable insights to empower everyone.

Please Write Your Comments
Comments (0)
Leave your comment.
Write a comment
INSTRUCTIONS:
  • Be Respectful
  • Stay Relevant
  • Stay Positive
  • True Feedback
  • Encourage Discussion
  • Avoid Spamming
  • No Fake News
  • Don't Copy-Paste
  • No Personal Attacks
`