CarGurus data breach reveals 12.4 million online user records compromised

The leaked data includes names, phone numbers, email addresses, physical addresses, and even financial pre-qualification details. While most of the records have already been exposed in previous incidents, about 3.7 million of them have been newly added to the pile. This means that new data is now freely available for criminals to download.

Sign up for my free CyberGuy report
Get the best tech tips, breaking security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – for free when you join my site CYBERGUY.COM Newsletter.

149 million passwords were exposed in a massive credential leak

A hacking group known as ShinyHunters claims to have leaked 12.4 million records associated with car shopping platform CarGurus. (Wei Ling Tai/Bloomberg via Getty Images)

What you need to know about the CarGurus breach

The group behind the leak, ShinyHunters, posted a 6.1GB file on February 21, claiming it came from CarGurus. The file allegedly contains 12.4 million user records associated with US-based automotive research and shopping platform CarGurus.

CarGurus operates in the United States, Canada and the United Kingdom, and its website attracts an estimated 40 million visitors per month. It allows you to compare vehicles, contact sellers, and in some cases, apply for financing.

According to the website Have I Been Pwned, which later added the dataset to its breach database, the information exposed includes email addresses, IP addresses, full names, phone numbers, physical addresses, account IDs, agent details, sign-up information, and financing pre-qualification application data, along with scores.

Have I Been Pwned reports that about 70% of the data has already appeared in previous breaches. Nearly 3.7 million new records. CarGurus did not issue an official statement confirming the incident and did not respond to media requests for comment. ShinyHunters is known for leaking company data when ransom negotiations go wrong. The group recently claimed responsibility for attacks on major brands in telecom, retail, finance and technology.

How it works and why it matters to you

ShinyHunters usually gain access by tricking employees, not by hacking firewalls. In previous cases, the group used phone calls or fake login pages to convince employees to hand over credentials. Once inside, attackers can quietly access cloud systems that store customer data.

In some campaigns, they also convinced employees to install malicious applications that gave them access to customer databases. This means that attackers can read stored information without raising obvious alarms. If this data set were legitimate, criminals would now have detailed personal profiles linked to car purchasing and financing activities, which is valuable.

Financial qualification data Particularly sensitive. Even if it doesn’t include full Social Security numbers, it indicates that you’ve been actively sharing financial details. This makes you a prime target for subsequent scams, identity theft attempts, and fake loan offers. Because the data is publicly available for download, it doesn’t take much skill for criminals to start using it.

“We recently experienced a cybersecurity incident,” a CarGurus spokesperson told CyberGuy. “We responded immediately by securing the affected environment, and are currently working with a leading cybersecurity firm to investigate. Based on the investigation to date, we believe the activity is contained and limited in scope. Also at this time, there are no indications that proxy data feeds, APIs, or underlying systems or products used by our customers or business partners have been compromised. We remain fully operational, and our services continue without interruption. We will notify any affected individuals in accordance with applicable laws.”

The data breach exposed 400,000 bank customers’ information

7 ways you can protect yourself from CarGurus hack

Here’s what you can do now to reduce your risks and stay ahead of potential scams associated with this leak.

1) Check if your email and passwords are at risk

To see if your email has been affected, visit Have you been Pwned in hasibeenpwned.com. Enter your email address to see if your information appears in the CarGurus leak. When you’re done, come back here for Step 2.

The exposed data set reportedly includes names, email addresses, phone numbers, addresses and financing pre-qualification details. (Felix Zhan/Phototec via Getty Images)

2) Change your passwords immediately

Start with your most important accounts, such as email, medical, and banking. Use strong, unique passwords made up of letters, numbers, and symbols. Avoid predictable choices like names or birthdays. Never reuse passwords. One stolen password can unlock multiple accounts. A password manager makes this simple. It securely stores complex passwords and helps you create new ones. Many managers also scan for breaches to see if your existing passwords have been exposed. Use a password manager to create strong, unique passwords for each account and store them securely. This way, if one account is compromised, criminals won’t be able to use the same password to access the rest of your accounts. Check out the best expert-reviewed password managers of 2026 at Cyberguy.com.

3) Minimize your online exposure with a data removal service

You can also consider a Personal data removal service. While no service can guarantee complete removal of your data from the Internet, a data removal service is truly a smart choice. It’s not cheap, and neither is your privacy. These services do all the work for you by systematically monitoring and scraping your personal information from hundreds of websites. This gives me peace of mind and has proven to be the most effective way to clear your personal data from the Internet. By limiting the information available, you reduce the risk of fraudsters cross-referencing data from breaches to information they might find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services and get a free check to see if your personal information really exists on the web by visiting Cyberguy.com.

get a Free scan To see if your personal information is already on the web: Cyberguy.com.

4) Turn on two-factor authentication

If CarGurus or your email provider offers two-factor authentication (2FA)enable it. This adds a second step, like a code sent to your phone, making it difficult for anyone to access your account even if they have your password.

5) Watch for finance-related phishing scams

Be very careful when handling emails or text messages related to car loans, financing approvals, or dealership follow-ups. Do not click on links in spam messages. Alternatively, contact the company directly using the official contact details you find on their website. And also strong use Antivirus software To block malicious links and downloads that often follow phishing campaigns. If attackers use this leaked data to target you with infected attachments, antivirus protection adds another layer of defense.

Get my picks for the best antivirus protection winners of 2026 for Windows, Mac, Android, and iOS at Cyberguy.com.

6) Monitor your credit reports

If you apply for financing, check your credit reports for unusual inquiries or new accounts. Early detection can help you stop identity theft before it gets worse. Consider a credit freeze if you see suspicious activity.

7) Consider identity theft protection

Identity theft protection services can monitor any unusual activity associated with your name, Social Security number, or financial accounts. They can quickly alert you if someone tries to open a new credit card in your name.

See my tips and top picks for the best identity theft protection at Cyberguy.com.

Security experts warn that leaked information could be used for phishing scams, fake loan offers and identity theft. (Istock)

Key takeaway for Kurt

This incident highlights an issue bigger than just one company. When platforms collect detailed financial and personal data, they become high-value targets. If the leaked data set is real, millions of people who were simply shopping for a car now face an increased risk of fraud. CarGurus has not publicly confirmed the violation. Customers deserve clarity when it comes to sensitive financial application data. Silence only increases uncertainty.

Should companies that collect finance data be required to publicly confirm or deny violations within a specific time frame? Let us know by writing to us at Cyberguy.com.

Click here to download the FOX NEWS app

Sign up for my free CyberGuy report
Get the best tech tips, breaking security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – for free when you join my site CYBERGUY.COM Newsletter.

Copyright 2026 CyberGuy.com. All rights reserved.