CarGurus Data Breach

CarGurus Data Breach

Status: Confirmed / Data Published
12.5M+ Records
Feb 2026 Breach
Feb 2026 Data Posted

Breach Overview

Threat Actor ShinyHunters
Vector (Reported) Voice phishing (vishing) targeting SSO credentials
Date of Breach February 13, 2026 (reported)
Public Release February 23, 2026
Initial Claim 1.7M records
Verified Dataset Size 12M+ user records
Added to HIBP February 22, 2026

Summary

In mid-February 2026, ShinyHunters claimed to have breached CarGurus, Inc., an online automotive marketplace serving U.S. car buyers and dealers.

After issuing a public extortion demand with a February 20 deadline, the threat actor released the full dataset when payment was not made. The published data contains over 12 million user records spanning nearly two decades of account registrations dating back to 2006.

CarGurus acknowledged a cybersecurity incident on February 21 and stated it secured the affected environment and launched an investigation with a third-party cybersecurity firm. The company characterized the breach as limited in scope, though the publicly available dataset suggests broader exposure.

The data is now indexed and searchable across breach intelligence platforms.

About CarGurus

CarGurus is a major U.S. automotive marketplace connecting car buyers, dealers, and financing partners. The platform supports:

  • Vehicle listings and dealer subscriptions
  • Buyer accounts
  • Finance pre-qualification workflows
  • Dealer and corporate data integrations

If you have created a CarGurus account, applied for auto financing through the platform, listed or inquired about a vehicle, or operated a dealership account — your data may be included.

Data Points Exposed

Verified fields in the released dataset:
Email addresses
Full names
Phone numbers
Physical addresses
IP addresses
Account creation dates
User UUIDs and internal IDs
Finance pre-qualification application data
Dealer subscription and corporate records
Not confirmed in the dataset:
Passwords (plaintext)

Attack Pattern: ShinyHunters SSO Campaign

If reporting is accurate, this breach follows a consistent ShinyHunters playbook used across multiple recent incidents.

The method:

  • Voice phishing call impersonating internal IT
  • Target claims MFA or SSO update required
  • Victim directed to highly customized phishing landing page
  • Real-time credential and MFA harvesting
  • Login to Okta, Entra, or Google SSO dashboard
  • Data exfiltration from connected platforms (Salesforce, Microsoft 365, SharePoint, DocuSign, Dropbox)

ShinyHunters have used this technique repeatedly across financial services and consumer platforms.

If confirmed, CarGurus would be the 15th organization breached via this model in recent months.

Impact

This breach carries elevated risk due to financial intent context (auto financing data), long historical account coverage, email + phone pairing, and IP address linkage.

Primary downstream threats:
  • Targeted phishing referencing vehicle interest
  • Auto loan fraud attempts
  • Identity theft leveraging address + finance metadata
  • SIM swap attempts where phone numbers are present
  • Credential stuffing against reused passwords

Automotive marketplaces intersect with credit workflows. That increases exploitation value.

Recommended Actions

⚠️ Do not assume this is low sensitivity.

Change Passwords
CarGurus account immediately
Any account sharing similar credentials
Enable Multi-Factor Authentication
Email accounts first
Financial platforms second
Watch for Auto Loan Scams
Messages referencing financing approvals
"Dealer follow-up" emails
Refund or rebate offers
Monitor Credit
Especially if finance pre-qualification data was submitted
Be Alert for Long-Term Abuse
Data spans nearly 20 years
Attacks may appear months later
Check Your Exposure
If you are an ObscureIQ client, this breach has been indexed into your exposure profile.
Non-clients may request a breach impact review.

CarGurus Statement Summary

CarGurus has stated:

  • The affected environment was secured
  • An investigation is ongoing
  • The breach is "limited in scope"
  • Dealer feeds, APIs, and core systems remain operational

However, the publicly released dataset exceeds the initial 1.7M claim and includes over 12M user records.

Scope assessments may evolve as investigation continues.

ObscureIQ Advisory

This incident fits a broader campaign targeting SSO infrastructure through social engineering rather than technical exploitation. Organizations relying heavily on centralized identity providers are currently high-value targets.

If you are an ObscureIQ client, we can:
  • Cross-reference exposure across automotive, finance, and identity datasets
  • Evaluate whether your financing or IP metadata increases targeting risk
  • Harden executive or dealer-facing accounts
Services
Audits Wipes Threat Monitoring Training
Contact
Phone +1 772-207-0046 Email info@obscureiq.com

This was not a stealth scrape. It was a coordinated identity compromise campaign.

© 2026 ObscureIQ. All Rights Reserved.

Credit

What Is Credit Monitoring? And Do I Want It? (Answer: Not Really)

July 14, 2025
Every time there’s a major data breach, companies scramble to offer “free” credit monitoring. It sounds like a responsible move.…
breach economycredit freezecredit scoreequifaxexperian
Credible Threats

Lock Down Browsers. Wipe Employee Footprints. Win Breach Wars.

September 2, 2025
Lock Down Browsers. Wipe Employee Footprints. Win Breach Wars. Over 80% of security incidents now start in the browser. Chrome.…
brave browserbreachesbrowser exploitbrowserschrome
Analysis

Sextortion Spam

May 10, 2025
Sextortion scams aren’t new, but they remain one of the most effective forms of cyber-enabled fraud. These scams don’t rely…
bitcoindeadlinefeargoogle maps apiransom

Contact ObscureIQ for a free breach impact check.

If you believe your information may be part of this breach,or want confirmation across other datasets,

We use a multi-layered intelligence stack, combining public and restricted dark-web sources, to confirm whether your data is in circulation.