A Cargurus data breach occurred in February 2026. According to the website, haveibeenpwned.com (HIBP), 12.5 million CarGurus accounts are exposed. The hacker group which goes by the name of ShinyHunters attempted to extort the company before exposing the data.
What data is leaked?
The extracted data included names, email, phone numbers, addresses, finance pre-qualification data, and new and used car dealer account and subscription information. IP addresses and user account ID mappings are also included.
Who is affected by the CarGurus Data Breach?
Users of the CarGurus website as well as dealers. The group claimed they harvested 1.7 million records, but the actual amount leaked on February 20, 2026 was 12.5 million accourding to HIBP.
What can you do about the CarGurus Data Breach?
So far CarGurus has not posted a comment about the attack. If you are a dealer or user of Cargurus it would be a good idea to change your password on their website. In addition, if your personal information is exposed you might want to put a fraud alert on your credit file. This will make it harder for criminals to impersonate you and open credit in your name. You can also request that Cargurus delete your account by emailing them at cancellations@cargurus.com
How can I prevent this from happening again?
Sadly, anytime we give a company our data, we are trusting them to keep it protected. Large companies have processes in place and must meet strict standards imposed by the government. However, this doesn’t mean that best practices are followed. Nor does it ensure that third parties contractors or corporation a business uses has the same standards. The best thing you can do is limit the companies you share your data with. In addition, using unique passwords for every website and 2 factor authentication when available. Finally, request the deletion of data and remove old accounts on websites you no longer use.
The same group recently targeted Carmax and exposed 431,400 users data after a failed extortion attempt in January of this year.