Cyber Incident Victim: CarGurus
Date:
Feb 2026
Location:
United States of America
Summary
ShinyHunterspublished a 6.1 GB file claiming it contains 12.4 million user records taken from CarGurus, including names, phone numbers, email addresses, physical addresses and finance pre‑qualification details. About 3.7 million of the records are new, while the remainder had appeared in earlier breaches. The platform acknowledged a cybersecurity incident, said it secured the affected environment and is working with a leading security firm to investigate, and noted that dealer data feeds, APIs and core systems appear unaffected. The group typically gains access through social engineering tactics such as phishing calls or fake login pages rather than direct network attacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On Feb21, 2026, ShinyHunters published a 6.1GB file claiming to contain 12.4 million CarGurus user records. The data includes names, phone numbers, email addresses, physical addresses, finance pre‑qualification details, account IDs, dealer details, subscription information, and outcomes. According to Have I Been Pwned, about 70% of the data had already appeared in previous breaches, leaving roughly 3.7 million records newly exposed. CarGurus operates in the U.S., Canada, and the U.K., attracting an estimated 40 million monthly visitors.
ShinyHunters typically gains access via social engineering, such as phone calls or fake login pages that trick employees into divulging credentials, and sometimes convinces staff to install malicious applications that grant access to cloud‑based customer databases. Once inside, attackers can quietly retrieve stored information without triggering obvious alarms. The leaked dataset provides detailed personal profiles linked to car shopping and financing activity, which the article notes is valuable to criminals. CarGurus has not issued an official statement confirming the breach beyond the spokesperson’s comment.
The CarGurus spokesperson said the company recently experienced a cybersecurity incident, promptly secured the affected environment, and is working with a leading cybersecurity firm to investigate. Based on the investigation to date, the activity is believed to be contained and limited in scope, with no indications that dealer data feeds, APIs, or core systems or products used by consumers or dealer partners have been compromised. The company states it remains fully operational and its services continue without interruption.