CarGurus breach linked to ShinyHunters exposes 12.4M records

If you've ever searched for a car connected CarGurus, your individual accusation could now beryllium circulating online. A hacking group known arsenic ShinyHunters has published what it claims are 12.4 cardinal records taken from CarGurus, a celebrated car shopping level utilized by millions of group each month.

The leaked information includes names, telephone numbers, email addresses, beingness addresses and moreover finance pre-qualification details. While astir of nan records were already exposed successful past incidents, astir 3.7 cardinal are recently added to nan pile. That intends caller information is now freely disposable for criminals to download.

Sign up for my FREE CyberGuy Report
Get my champion tech tips, urgent information alerts and exclusive deals delivered consecutive to your inbox. Plus, you'll get instant entree to my Ultimate Scam Survival Guide – free erstwhile you subordinate my CYBERGUY.COM newsletter.

149 MILLION PASSWORDS EXPOSED IN MASSIVE CREDENTIAL LEAK

A hacker group known arsenic ShinyHunters claims it leaked 12.4 cardinal records linked to nan car shopping level CarGurus. (Wei Leng Tay/Bloomberg via Getty Images)

What you request to cognize astir nan CarGurus breach

The group down nan leak, ShinyHunters, published a 6.1GB record connected Feb. 21, claiming it came from CarGurus. The record allegedly contains 12.4 cardinal personification records tied to nan U.S.-based car investigation and shopping level CarGurus.

CarGurus operates successful nan U.S., Canada and nan U.K., and its website attracts an estimated 40 cardinal monthly visitors. It allows you to comparison vehicles, interaction sellers, and, successful immoderate cases, use for financing.

According to Have I Been Pwned, which later added nan dataset to its breach database, nan exposed accusation includes email addresses, IP addresses, afloat names, telephone numbers, beingness addresses, relationship IDs, trader details, subscription accusation and finance pre-qualification exertion data, on pinch outcomes.

Have I Been Pwned reports that astir 70% of nan information had already appeared successful erstwhile breaches. Roughly 3.7 cardinal records are new. CarGurus has not released an charismatic connection confirming nan incident and did not respond to media requests for comment. ShinyHunters is known for leaking institution information erstwhile ransom negotiations fail. The group has precocious claimed attacks connected awesome brands crossed telecom, retail, finance, and tech.

How it useful and why it matters to you

ShinyHunters typically gains entree by tricking employees, not by smashing done firewalls. In past cases, nan group utilized telephone calls aliases clone login pages to person unit to manus complete credentials. Once inside, attackers tin softly entree unreality systems that shop customer data.

In immoderate campaigns, they besides convinced labor to instal malicious apps that granted entree to customer databases. That intends attackers could publication stored accusation without triggering evident alarms. If this dataset is legitimate, criminals now person elaborate individual profiles tied to car shopping and financing activity, which is valuable.

Finance pre-qualification data is particularly sensitive. Even if it does not see afloat Social Security numbers, it signals that you were actively sharing financial details. That makes you a premier target for follow-up scams, personality theft attempts and clone indebtedness offers. Because nan information is publically disposable for download, it does not return overmuch accomplishment for criminals to commencement utilizing it.

"We precocious knowledgeable a cybersecurity incident," a CarGurus spokesperson told CyberGuy. "We promptly responded by securing nan affected environment, and we are presently moving pinch a starring cybersecurity patient to investigate. Based connected nan investigation to date, we judge nan activity has been contained and constricted successful scope. Also, astatine this time, location are nary indications that trader information feeds, APIs, aliases halfway systems aliases products utilized by our consumers aliases trader partners person been compromised. We stay afloat operational, and our services proceed without interruption. We will notify immoderate affected individuals successful accordance pinch applicable laws."

DATA BREACH EXPOSES 400,000 BANK CUSTOMERS’ INFO

7 ways you tin protect yourself from nan CarGurus breach

Here's what you tin do correct now to trim your consequence and enactment up of imaginable scams tied to this leak.

1) Check if your email and passwords are compromised

To spot if your email was affected, sojourn Have I Been Pwned astatine haveibeenpwned.com. Enter your email reside to find retired if your accusation appears successful nan CarGurus leak. When done, travel backmost present for Step 2.

The exposed dataset reportedly includes names, emails, telephone numbers, addresses and finance pre-qualification details. (Felix Zahn/Photothek via Getty Images)

2) Change your passwords immediately

Start pinch your astir important accounts, specified arsenic email, aesculapian and banking. Use strong, unsocial passwords pinch letters, numbers and symbols. Avoid predictable choices for illustration names aliases birthdays. Never reuse passwords. One stolen password tin unlock aggregate accounts.  A password head makes this simple. It stores analyzable passwords securely and helps you create caller ones. Many managers besides scan for breaches to spot if your existent passwords person been exposed. Use a password head to make strong, unsocial passwords for each relationship and shop them securely. That way, if 1 relationship is exposed, criminals can’t usage nan aforesaid password to entree nan remainder of your accounts. Check retired nan champion expert-reviewed password managers of 2026 astatine Cyberguy.com.

3) Reduce your online vulnerability pinch a information removal service

You tin besides see a personal information removal service. While nary work tin guarantee nan complete removal of your information from nan internet, a information removal work is really a smart choice. They aren't cheap, and neither is your privacy. These services do each nan activity for you by actively monitoring and systematically erasing your individual accusation from hundreds of websites. It's what gives maine bid of mind and has proven to beryllium nan astir effective measurement to erase your individual information from nan internet. By limiting nan accusation available, you trim nan consequence of scammers cross-referencing information from breaches pinch accusation they mightiness find connected nan acheronian web, making it harder for them to target you.

Check retired my apical picks for information removal services and get a free scan to find retired if your individual accusation is already retired connected nan web by visiting Cyberguy.com.

Get a free scan to find retired if your individual accusation is already retired connected nan web: Cyberguy.com.

4) Turn connected two-factor authentication

If CarGurus aliases your email supplier offers two-factor authentication (2FA), alteration it. This adds a 2nd step, for illustration a codification sent to your phone, making it overmuch harder for personification to entree your relationship moreover if they person your password.

5) Watch for finance-related phishing scams

Be other cautious pinch emails aliases texts astir car loans, financing approvals, aliases dealership follow-ups. Do not click links successful unsolicited messages. Instead, interaction nan institution straight utilizing nan charismatic interaction specifications you find connected their website. Also, usage beardown antivirus software to artifact malicious links and downloads that often travel phishing campaigns. If attackers usage this leaked information to target you pinch infected attachments, antivirus protection adds different furniture of defense.

Get my picks for nan champion 2026 antivirus protection winners for your Windows, Mac, Android and iOS devices astatine Cyberguy.com.

6) Monitor your in installments reports

If you applied for financing, cheque your in installments reports for unfamiliar inquiries aliases caller accounts. Early discovery tin thief you extremity personality theft earlier it spirals. Consider placing a in installments frost if you spot suspicious activity.

7) Consider personality theft protection

Identity theft protection services tin show for different activity tied to your name, Social Security number, aliases financial accounts. They tin alert you quickly if personification tries to unfastened a caller in installments paper successful your name.

See my tips and champion picks connected Best Identity Theft Protection astatine Cyberguy.com.

Security experts pass nan leaked accusation could beryllium utilized for phishing scams, clone indebtedness offers and personality theft. (iStock)

Kurt's cardinal takeaway

This incident highlights a bigger rumor than conscionable 1 company. When platforms cod elaborate financial and individual data, they go high-value targets. If nan leaked dataset is authentic, millions of group who were simply shopping for a car now look accrued consequence of scams. CarGurus has not publically confirmed a breach. Customers merit clarity erstwhile delicate financial exertion information whitethorn beryllium involved. Silence only increases uncertainty.

Should companies that cod financing information beryllium required to publically corroborate aliases contradict breaches wrong a group timeframe?  Let america cognize by penning to america astatine Cyberguy.com.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report 
Get my champion tech tips, urgent information alerts and exclusive deals delivered consecutive to your inbox. Plus, you’ll get instant entree to my Ultimate Scam Survival Guide – free erstwhile you subordinate my CYBERGUY.COM newsletter.

Copyright 2026 CyberGuy.com. All authorities reserved.