• CarGurus data breach exposes information of 12.4 million accounts February 24, 2026 01:08 PM 0 The ShinyHunters extortion group has published personal information in more than 12 million records allegedly stolen from CarGurus, a U.S.-based digital auto platform. • CarGurus is a publicly traded automotive research and shopping company that operates in the U.S., Canada, and the U.K. • Its website has an estimated 40 million monthly visitors and helps people find, compare, and contact sellers of new and used vehicles. • On February 21, the threat group published a 6.1GB archive containing 12.4 million records, saying it was from CarGurus. • A day later, the HaveIBeenPwned (HIBP) data breach monitoring and alerting platformadded the dataset, listing the following data types as compromised: Email addresses IP addresses Full names Phone numbers Physical addresses User account IDs Finance pre-qualification application data Finance application outcomes Dealer account details Subscription information Although CarGurus has not released an official statement disclosing a data breach and did not respond to BleepingComputer’s request for comment, it is important to note that HIBP attempts to confirm the validity/authenticity of the leaked records before adding them. • HIBPreportsthat 70% of the leaked data was already on its database from previous incidents, so roughly 3.7 million records are fresh.

Article Summaries:

  • A U.S. automotive research site, CarGurus, is believed to have suffered a data breach after the ShinyHunters extortion group released a 6.1 GB archive containing 12.4 million records on February 21. The leak, added to the HaveIBeenPwned database the next day, includes email addresses, IPs, names, phone numbers, physical addresses, account IDs, finance application data, dealer details and subscription info. HIBP notes that 70 % of the data had appeared in prior breaches, leaving roughly 3.7 million fresh records. CarGurus has not confirmed the breach, but users are warned to watch for phishing and scam attempts using the exposed data.

Sources: