CarGurus breach linked to ShinyHunters exposes 12.4M records

If you've ever searched for a car connected CarGurus, your idiosyncratic accusation could present beryllium circulating online. A hacking radical known arsenic ShinyHunters has published what it claims are 12.4 cardinal records taken from CarGurus, a fashionable car buying level utilized by millions of radical each month.

The leaked information includes names, telephone numbers, email addresses, carnal addresses and adjacent concern pre-qualification details. While astir of the records were already exposed successful past incidents, astir 3.7 cardinal are recently added to the pile. That means caller information is present freely disposable for criminals to download.

Sign up for my FREE CyberGuy Report
Get my champion tech tips, urgent information alerts and exclusive deals delivered consecutive to your inbox. Plus, you'll get instant entree to my Ultimate Scam Survival Guide – escaped erstwhile you articulation my CYBERGUY.COM newsletter.

149 MILLION PASSWORDS EXPOSED IN MASSIVE CREDENTIAL LEAK

A hacker radical known arsenic ShinyHunters claims it leaked 12.4 cardinal records linked to the car buying level CarGurus. (Wei Leng Tay/Bloomberg via Getty Images)

What you request to cognize astir the CarGurus breach

The radical down the leak, ShinyHunters, published a 6.1GB record connected Feb. 21, claiming it came from CarGurus. The record allegedly contains 12.4 cardinal idiosyncratic records tied to the U.S.-based car probe and buying level CarGurus.

CarGurus operates successful the U.S., Canada and the U.K., and its website attracts an estimated 40 cardinal monthly visitors. It allows you to comparison vehicles, interaction sellers, and, successful immoderate cases, use for financing.

According to Have I Been Pwned, which aboriginal added the dataset to its breach database, the exposed accusation includes email addresses, IP addresses, afloat names, telephone numbers, carnal addresses, relationship IDs, trader details, subscription accusation and concern pre-qualification exertion data, on with outcomes.

Have I Been Pwned reports that astir 70% of the information had already appeared successful erstwhile breaches. Roughly 3.7 cardinal records are new. CarGurus has not released an authoritative connection confirming the incidental and did not respond to media requests for comment. ShinyHunters is known for leaking institution information erstwhile ransom negotiations fail. The radical has precocious claimed attacks connected large brands crossed telecom, retail, finance, and tech.

How it works and wherefore it matters to you

ShinyHunters typically gains entree by tricking employees, not by smashing done firewalls. In past cases, the radical utilized telephone calls oregon fake login pages to person unit to manus implicit credentials. Once inside, attackers tin softly entree unreality systems that store lawsuit data.

In immoderate campaigns, they besides convinced employees to instal malicious apps that granted entree to lawsuit databases. That means attackers could work stored accusation without triggering evident alarms. If this dataset is legitimate, criminals present person elaborate idiosyncratic profiles tied to car buying and financing activity, which is valuable.

Finance pre-qualification information is particularly sensitive. Even if it does not see afloat Social Security numbers, it signals that you were actively sharing fiscal details. That makes you a premier people for follow-up scams, individuality theft attempts and fake indebtedness offers. Because the information is publically disposable for download, it does not instrumentality overmuch accomplishment for criminals to commencement utilizing it.

"We precocious experienced a cybersecurity incident," a CarGurus spokesperson told CyberGuy. "We promptly responded by securing the affected environment, and we are presently moving with a starring cybersecurity steadfast to investigate. Based connected the probe to date, we judge the enactment has been contained and constricted successful scope. Also, astatine this time, determination are nary indications that trader information feeds, APIs, oregon halfway systems oregon products utilized by our consumers oregon trader partners person been compromised. We stay afloat operational, and our services proceed without interruption. We volition notify immoderate affected individuals successful accordance with applicable laws."

DATA BREACH EXPOSES 400,000 BANK CUSTOMERS’ INFO

7 ways you tin support yourself from the CarGurus breach

Here's what you tin bash close present to trim your hazard and enactment up of imaginable scams tied to this leak.

1) Check if your email and passwords are compromised

To spot if your email was affected, sojourn Have I Been Pwned astatine haveibeenpwned.com. Enter your email code to find retired if your accusation appears successful the CarGurus leak. When done, travel backmost present for Step 2.

The exposed dataset reportedly includes names, emails, telephone numbers, addresses and concern pre-qualification details. (Felix Zahn/Photothek via Getty Images)

2) Change your passwords immediately

Start with your astir important accounts, specified arsenic email, aesculapian and banking. Use strong, unsocial passwords with letters, numbers and symbols. Avoid predictable choices similar names oregon birthdays. Never reuse passwords. One stolen password tin unlock aggregate accounts.  A password manager makes this simple. It stores analyzable passwords securely and helps you make caller ones. Many managers besides scan for breaches to spot if your existent passwords person been exposed. Use a password manager to make strong, unsocial passwords for each relationship and store them securely. That way, if 1 relationship is exposed, criminals can’t usage the aforesaid password to entree the remainder of your accounts. Check retired the champion expert-reviewed password managers of 2026 astatine Cyberguy.com.

3) Reduce your online vulnerability with a information removal service

You tin besides see a idiosyncratic information removal service. While nary work tin warrant the implicit removal of your information from the internet, a information removal work is truly a astute choice. They aren't cheap, and neither is your privacy. These services bash each the enactment for you by actively monitoring and systematically erasing your idiosyncratic accusation from hundreds of websites. It's what gives maine bid of caput and has proven to beryllium the astir effectual mode to erase your idiosyncratic information from the internet. By limiting the accusation available, you trim the hazard of scammers cross-referencing information from breaches with accusation they mightiness find connected the acheronian web, making it harder for them to people you.

Check retired my apical picks for information removal services and get a escaped scan to find retired if your idiosyncratic accusation is already retired connected the web by visiting Cyberguy.com.

Get a escaped scan to find retired if your idiosyncratic accusation is already retired connected the web: Cyberguy.com.

4) Turn connected two-factor authentication

If CarGurus oregon your email supplier offers two-factor authentication (2FA), alteration it. This adds a 2nd step, similar a codification sent to your phone, making it overmuch harder for idiosyncratic to entree your relationship adjacent if they person your password.

5) Watch for finance-related phishing scams

Be other cautious with emails oregon texts astir car loans, financing approvals, oregon dealership follow-ups. Do not click links successful unsolicited messages. Instead, interaction the institution straight utilizing the authoritative interaction details you find connected their website. Also, usage beardown antivirus bundle to artifact malicious links and downloads that often travel phishing campaigns. If attackers usage this leaked information to people you with infected attachments, antivirus extortion adds different furniture of defense.

Get my picks for the champion 2026 antivirus extortion winners for your Windows, Mac, Android and iOS devices astatine Cyberguy.com.

6) Monitor your recognition reports

If you applied for financing, cheque your recognition reports for unfamiliar inquiries oregon caller accounts. Early detection tin assistance you halt individuality theft earlier it spirals. Consider placing a recognition frost if you spot suspicious activity.

7) Consider individuality theft protection

Identity theft extortion services tin show for antithetic enactment tied to your name, Social Security number, oregon fiscal accounts. They tin alert you rapidly if idiosyncratic tries to unfastened a caller recognition paper successful your name.

See my tips and champion picks connected Best Identity Theft Protection astatine Cyberguy.com.

Security experts pass the leaked accusation could beryllium utilized for phishing scams, fake indebtedness offers and individuality theft. (iStock)

Kurt's cardinal takeaway

This incidental highlights a bigger contented than conscionable 1 company. When platforms cod elaborate fiscal and idiosyncratic data, they go high-value targets. If the leaked dataset is authentic, millions of radical who were simply buying for a car present look accrued hazard of scams. CarGurus has not publically confirmed a breach. Customers merit clarity erstwhile delicate fiscal exertion information whitethorn beryllium involved. Silence lone increases uncertainty.

Should companies that cod financing information beryllium required to publically corroborate oregon contradict breaches wrong a acceptable timeframe?  Let america cognize by penning to america astatine Cyberguy.com.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report 
Get my champion tech tips, urgent information alerts and exclusive deals delivered consecutive to your inbox. Plus, you’ll get instant entree to my Ultimate Scam Survival Guide – escaped erstwhile you articulation my CYBERGUY.COM newsletter.

Copyright 2026 CyberGuy.com. All rights reserved.