NEWNow you can listen to Fox News articles!
If you’ve ever searched for a car on CarGurus, your personal information is now floating around the Internet. A hacking group known as ShinyHunters has published what it says are 12.4 million records taken from CarGurus, a popular car shopping platform used by millions of people every month.
The leaked data includes names, phone numbers, email addresses, residential addresses and undergraduate financial information. While many records have already been revealed in previous events, approximately 3.7 million have recently been added to the pile. That means new data is now freely available for hackers to download.
Sign up for my FREE CyberGuy report
Get my best tech tips, emergency security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join CYBERGUY.COM newspaper.
149 MILLION PASSWORDS HACKED IN MAJOR EVIDENCE
A hacking group known as ShinyHunters claims to have leaked 12.4 million records linked to the car shopping site CarGurus. (Wei Leng Tay/Bloomberg via Getty Images)
What you need to know about the CarGurus breach
The team behind the leak, ShinyHunters, published the 6.1GB file on Feb. 21, says it’s from CarGurus. The file allegedly contained records of 12.4 million users tied to US-based car research and shopping platform CarGurus.
CarGurus operates in the US, Canada and the UK, and its website attracts approximately 40 million visitors per month. It allows you to compare cars, contact dealers, and, in some cases, apply for financing.
According to Have I Been Pwned, which later added the dataset to its breach database, the information exposed included email addresses, IP addresses, full names, phone numbers, residential addresses, account IDs, merchant information, registration information and financial eligibility application data, and results.
Have I Been Pwned reports that nearly 70% of the data was already from previous breaches. About 3.7 million records are new. CarGurus has not released an official statement confirming the incident and did not respond to media requests for comment. ShinyHunters have been known to leak company data when ransom negotiations fail. The group recently sought to attack major brands across telecom, retail, finance and technology.
How it works and why it matters to you
ShinyHunters usually gain access by tricking employees, not by breaching firewalls. In previous cases, the group used phone calls or fake login pages to convince employees to provide information. Once inside, attackers can silently access cloud systems that store customer data.
In some campaigns, they also convinced employees to install malicious apps that gave access to customer databases. That means attackers can read stored information without triggering obvious alarms. If this dataset is legitimate, the criminals now have the personal details of the profiles tied to the car buying and financing activity, which is important.
Financial eligibility data is very sensitive. Even if it doesn’t include full Social Security numbers, it shows that you’ve been sharing financial information. That makes it your primary goal to track down scams, identity theft attempts and fake loan offers. Because the data is publicly available for download, it doesn’t take much skill for hackers to start using it.
“We have recently received a cybersecurity incident,” a CarGurus spokesperson told CyberGuy. “We responded immediately by securing the affected site, and we are currently working with a leading cyber security company to investigate. Based on the investigation to date, we believe that the activity is contained and limited in scope. And, at this time, there are no indications that the seller’s data feed, APIs, or basic systems or products used by our buyers or our sellers continue to be partners in our work. Disturbance. We will notify any affected persons in accordance with applicable laws.”
DATA BREAK EXPOSES 400,000 BANK CUSTOMER INFORMATION
7 ways to protect yourself from the CarGurus breach
Here’s what you can do now to reduce your risk and stay ahead of potential scams associated with these leaks.
1) Check if your email and passwords have been compromised
To see if your email has been affected, visit I would have been arrested haveibeenpwned.com. Enter your email address to find out if your information appears in the CarGurus newsletter. When you’re done, come back here for Step 2.
The exposed dataset reportedly includes names, emails, phone numbers, addresses and pre-eligibility financial information. (Felix Zahn/Photothek via Getty Images)
2) Change your password immediately
Start with your most important accounts, such as email, medical and banking. Use strong, unique passwords with letters, numbers and symbols. Avoid predictable choices like names or birthdays. Never reuse passwords. One stolen password can open multiple accounts. A password manager makes this easy. It stores complex passwords securely and helps you create new ones. Many administrators also check for breaches to see if your current passwords have been exposed. Use a password manager to create strong, unique passwords for every account and store them securely. That way, if one account is exposed, hackers can’t use the same password to access all of your accounts. Check out the best password managers reviewed in 2026 at Cyberguy.com.
3) Reduce your online exposure with a data removal service
You can also consider a personal data removal service. Although no service can guarantee the complete removal of your data from the Internet, a data removal service is definitely a smart choice. They are not cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically deleting your personal information from hundreds of websites. That’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of fraudsters transferring data from information breaches they may find on the dark web, making it harder for them to identify you.
Check out my top picks for data removal services and get a free scan to find out if your personal information is already out there on the web by visiting Cyberguy.com.
Get a free scan to find out if your personal information is already on the web: Cyberguy.com.
4) Turn on two-factor authentication
If CarGurus or your email provider offers two-factor authentication (2FA)allow it. This adds a second step, like a code sent to your phone, making it more difficult for someone to access your account even if they have your password.
5) Watch for financial related scams
Be very careful with emails or texts about a car loan, financing approval, or following up with a seller. Do not click on links in unsolicited messages. Instead, contact the company directly using the official contact information found on its website. Also, use strong antivirus software to block malicious links and downloads that often follow phishing campaigns. If attackers use this leaked data to target you with infected attachments, antivirus protection adds another layer of protection.
Find my picks for the best antivirus 2026 winners for your Windows, Mac, Android and iOS devices at Cyberguy.com.
6) Monitor your credit reports
If you’ve applied for financing, check your credit reports for unusual inquiries or new accounts. Early detection can help you stop identity theft before it happens. Consider suspending credit if you see suspicious activity.
7) Consider identity theft protection
Identity theft protection services can monitor for unusual activity associated with your name, Social Security number, or financial accounts. They can notify you immediately if someone is trying to open a new credit card in your name.
See my tips and top picks for Best Identity Theft Protection at Cyberguy.com.
Security experts warn the leaked data could be used for phishing scams, fake loan offers and identity theft. (Stock)
The key to take Kurt
This incident highlights a bigger issue than just one company. When platforms collect data with financial and personal information, they become high-value targets. If the leaked data set is true, millions of people who were already shopping for a car now face an increased risk of fraud. CarGurus has not publicly confirmed the breach. Customers deserve clarity when sensitive financial application data may be involved. Silence only increases uncertainty.
Should companies that collect financial data publicly confirm or deny breaches within a set period of time? Let us know by writing to us at Cyberguy.com.
CLICK HERE TO DOWNLOAD THE FOX NEWS PROGRAM
Sign up for my FREE CyberGuy report
Get my best tech tips, emergency security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join CYBERGUY.COM newspaper.
Copyright 2026 CyberGuy.com. All rights reserved.
