Have I Been Pwned, a security service website, has added CarGurus to its data breach database, confirming that the automotive marketplace was impacted by a data leak affecting over 12 million accounts.
According to Have I Been Pwned (HIBP), the breach occurred in February 2026 and is attributed to the extortion-focused threat actor ShinyHunters. After an attempted extortion, the stolen data was published publicly and circulated across multiple files. The breach was added to HIBP on February 22, 2026, following verification of the dataset.
What data was exposed
HIBP reports that the leaked dataset contains a wide range of personal and account-related information, including:
- Email addresses
- Full names
- Phone numbers
- Physical addresses
- IP addresses
- User account ID mappings
- Auto finance pre-qualification application data
- Finance application outcomes
- Dealer account and subscription information
Finance-related application data raises the risk of targeted phishing and fraud, particularly scams designed to impersonate lenders, dealerships, or account verification workflows.
HIBP independently validates breach datasets before listing them, ensuring that the data is authentic and tied to the affected service. For the CarGurus incident, HIBP determined that while a portion of the data overlaps with records from previous breaches, millions of accounts appear for the first time, resulting in a significant net-new exposure.
Because the dataset has been made publicly available, it can be freely accessed and reused by cybercriminals, increasing the likelihood of follow-on abuse such as credential-stuffing attempts, phishing campaigns, and social engineering attacks.
CarGurus users whose information may have been exposed should remain alert for suspicious emails, text messages, or calls referencing vehicle purchases, financing decisions, or account activity. As a precaution, users should avoid clicking links in unsolicited messages and ensure that passwords reused across multiple services are changed.
Potentially affected individuals can check their email addresses on the HIBP website here to determine whether they were included in the breach.
Leave a Reply