Massive Data Breach at CarGurus: Are You One of the 12 Million Users Impacted?

In February 2026, a major data security incident at the popular online automotive marketplace CarGurus exposed sensitive personal information tied to tens of millions of users, including names, email addresses, phone numbers, and physical addresses. 

The breach is one of the largest consumer data exposures reported in the automotive tech sector this year, and it has serious implications for individuals whose information may now be in the hands of cybercriminals.

When companies request or require your personal information and store it, they owe you a duty of care to protect it. When inadequate security measures leave a back door open to dangerous third parties, those companies can be held accountable for failing to take appropriate measures to prevent the breach.

What Happened With the CarGurus Data Breach?

According to security researchers and breach monitoring services, the ShinyHunters hacking group, known for high-profile extortion operations, claimed responsibility for the attack. 

The group first demanded a ransom from CarGurus but, when those demands were not met, publicly published the stolen data on a dark web leak site.

Initially, ShinyHunters said they had stolen approximately 1.7 million records, including both consumer and corporate information. However, further analysis revealed a much larger dataset, roughly 12 to 12.5 million user accounts, with personally identifiable information (PII) now exposed and circulating online.

What Information Was Exposed?

The compromised data set reportedly includes a range of personal and account-related details, such as:

• Full names
• Email addresses
• Physical residential addresses
• Phone numbers
• IP addresses
• User account identifiers
• Finance pre-qualification application data
• Dealer account and subscription information

Security experts also note that roughly 70% of the email addresses in the data set have appeared in previous breaches, but millions of records may still be newly exposed as part of this incident.

What the CarGurus Data Breach Means for Consumers

Exposure of personal information on this scale puts affected individuals at heightened risk of several forms of fraud and abuse, including:

Identity Theft: With access to names, addresses, and contact information, fraudsters can attempt to open accounts, apply for credit, or impersonate victims.

Spear Phishing and Targeted Scams: Fraudulent emails or text messages that appear legitimate can be crafted using real details from breach data.

Credential Abuse: If individuals used the same or similar usernames and passwords across multiple online services, attackers may attempt to gain unauthorized access to other accounts.

How to Protect Yourself Now

If you used CarGurus or suspect your account may be included in the breach, here are several steps you can take immediately:

1. Check if Your Email Was Exposed. Use trusted breach notification services (such as Have I Been Pwned) to confirm whether your email address was part of the compromised dataset.
2. Change Your Passwords. Reset passwords on all online accounts where you used the same or similar credentials as your CarGurus login.
3. Enable Multi-Factor Authentication (MFA). Wherever possible, activate MFA to help prevent unauthorized access even if your password is compromised.
4. Monitor Financial and Identity Activity. Stay alert for unfamiliar charges, new accounts opened in your name, or notices from your bank or credit card company about unusual activity.
5. Consider Identity Theft Protection Services. Services that monitor credit reports and alert you to suspicious changes can offer an additional layer of defense.
6. Contact Morgan & Morgan to Take Action. If you believe you suffered damages due to the data breach, contact Morgan & Morgan for a free case evaluation to learn more about your legal options and whether you may be eligible for a claim against CarGurus.

Think You Have a Claim? Find Out in Minutes

Millions of Americans rely on online platforms like CarGurus to shop, compare, and finance major purchases like vehicles, trusting that their most sensitive information is protected. When that trust is breached, the consequences can be long-lasting and damaging.

Fortunately, some data protection laws allow for compensation in cases where a company’s negligence played a role in a breach.

Individuals whose personal data was compromised may be able to pursue legal action if it can be shown that the company failed to implement reasonable security measures to protect consumer data, and that, as a result of the breach, the individual suffered measurable harm, such as financial loss, identity theft, or prolonged mitigation costs.

If you believe you’ve been affected by the CarGurus data breach, acting promptly to secure your accounts and understand your legal rights can make all the difference. Contact Morgan & Morgan today for a free case evaluation to learn more.