CarGurus Data Breach
Gravity Score
ModerateCalculated based on the types of data exposed (5 categories) and the volume of affected records (12,461,887).
In February 2026, the automotive marketplace CarGurus was the target of a data breach attributed to the threat actor ShinyHunters. Following an attempted extortion, the data was published publicly and contained more than 12M email addresses across multiple files including user account ID mappings, finance pre-qualification application data and dealer account and subscription information. Impacted data also included names, phone numbers, physical and IP addresses, and auto finance application outcomes.
Exposed data
Affected website
cargurus.com
What to do now
What can we learn from this breach?
Breaches like this offer valuable lessons for the entire industry. Some security practices that help protect data at scale include: encrypting sensitive personal data at rest with properly managed encryption keys; segmenting and isolating databases so that a single breach doesn't expose all records; conducting regular security audits and penetration testing; implementing real-time intrusion detection and incident response plans. Information security is an ongoing process, and each incident reinforces the importance of investing in data protection.
Was your data exposed?
Check now if your email appears in this breach. It's free, takes 30 seconds and requires no signup.
Check my email
