CarGurus data breach affects 12.5 million accounts
Source: TechCrunch
Posted: 1:27 PM PST · February 24, 2026
Image Credit: CarGurus
Automotive marketplace CarGurus was the target of a data breach in which the names, email addresses, phone numbers, and physical addresses of millions of customers were stolen.
Have I Been Pwned, a data‑notification site run by security researcher Troy Hunt, reported that 12.5 million CarGurus accounts were compromised in the breach.
CarGurus, founded in 2006, operates an online marketplace that allows customers to buy, sell, and finance vehicle purchases.
Have I Been Pwned attributed the breach to the ShinyHunters hacking group. The group is known for its social‑engineering tactics, such as calling helpdesks and pretending to be employees who need password resets. ShinyHunters have previously stolen data from:
- Several universities – see the TechCrunch report
- Over a billion records from Salesforce customers, including Google and Workday – see the TechCrunch articles, Google, and Workday
- Recent hacks at Pornhub – see the TechCrunch story
- Fintech lending giant Figure – see the TechCrunch coverage
TechCrunch has reached out to CarGurus for comment and will update this article if the company responds.
According to Have I Been Pwned, the published data included:
- User account ID mappings
- Finance pre‑qualification application data
- Dealer account and subscription information
This is the second automotive‑related data breach reported by Have I Been Pwned this year. Last month, data allegedly from CarMax was published following a failed extortion attempt; the breach included about 431,000 unique email addresses along with names, phone numbers, and physical addresses. See the breach details on Have I Been Pwned.