CarGurus 2026 Data Breach

CarGurus Automotive Marketplace Breach (2026): 12 Million Customer Records Including VIN & Home Address Exposed via ShinyHunters | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

ShinyHuntersSocial EngineeringVehicleEmail AddressFull NameIP AddressPhone NumberPhysical AddressVehicle VIN
High SeverityWebsite / service breach

CarGurus Automotive Marketplace Breach (2026): 12 Million Customer Records Including VIN & Home Address Exposed via ShinyHunters

Automotive marketplace for vehicle listings, financing, and dealer tools.

Verified by ObscureIQ Intelligence
65/100Breach Risk Index
10Data Value
80Market Recency
64dSince Breach

Breach Intelligence Summary

Entity: CarGurus · Actor: ShinyHunters · Sources: 3 references
Attack: Social Engineering
Profile: Platform · Automotive buying and selling · Online vehicle marketplace · Global
Timeline: Breach (2026-02-14) · Indexed (Feb 22, 2026) · Year (2026)
Exposure: 12.4M records · 6 fields: Email Address, Full Name, IP Address, Phone Number, Physical Address, Vehicle VIN
Status: Confirmed

Executive Summary

CarGurus, the publicly traded online automotive marketplace, suffered a data breach in February 2026 claimed by the cybercriminal group ShinyHunters. The group is known for large-scale data theft followed by extortion attempts, and the data was publicly released after an alleged failed extortion effort. The breach exposed approximately 12.4 million records drawn directly from customer accounts. The exposed data includes names, email addresses, phone numbers, physical addresses, IP addresses, and vehicle identification numbers (VINs). The combination of personal contact details with VINs is particularly sensitive. It links individuals to specific vehicles, which creates a detailed profile that can be exploited in targeted scams, including phishing emails, dealership impersonation, and fraudulent financing offers timed to a user's apparent interest in buying or selling a vehicle. As of early 2026, CarGurus had not made detailed public statements about the incident, and no formal regulatory response or notification process had been widely documented. Affected individuals should be alert to unsolicited contact referencing their vehicle, financing applications, or CarGurus account activity, as the specificity of the exposed data makes such lures especially believable.

ObscureIQ assessment: This supports phishing, dealership impersonation, financing scams, and fraud aimed at buyers or sellers during a vehicle transaction. Vehicle-shopping intent makes these users especially vulnerable to timely, believable lures.

Breach Impact

In February 2026 ShinyHunters claimed responsibility for a breach of CarGurus systems, with a dataset of approximately 12.4 million records subsequently circulated. The exposed data included names, email addresses, phone numbers, physical addresses, IP addresses, and vehicle identification numbers tied to customer accounts. The inclusion of VINs linked to account holders creates a specific risk profile — combining identity data with vehicle ownership information. CarGurus has not made detailed public statements about this incident, and formal notification obligations and any regulatory response have not been widely documented in public sources as of early 2026.

About CarGurus

CarGurus is an online automotive marketplace that connects car buyers and sellers through vehicle listings, pricing analytics, dealer tools, and financing services. The company is publicly traded on the Nasdaq and headquartered in Cambridge, Massachusetts. It operates in the United States and several international markets, generating revenue through dealer subscriptions, advertising, and digital transaction services including its CarOffer wholesale platform.

Why They Hold Your Data

Automotive marketplace platforms collect buyer and seller contact information, account data, inquiry records, and vehicle-interest signals tied to car shopping and dealer interactions.

Recent Developments

CarGurus has been managing the integration of CarOffer, its wholesale vehicle marketplace acquisition, while navigating a used vehicle market affected by elevated prices and shifting consumer demand. The company has invested in digital retailing tools for dealers and expanded its financing product offerings. Leadership has remained focused on profitability and its dealer-facing subscription business as primary growth drivers.

Data Points Exposed

6 verified field types
Email Address
Full Name High
IP Address
Phone Number
Physical Address High
Vehicle VIN

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:Critical
Primary downstream threats:
  • SIM swap attacks where phone numbers are present
  • Targeted phishing campaigns using exposed email addresses
  • Doxxing risk from physical address exposure
Threat vectors:
  • Phishing, credential stuffing & account takeover
  • Name-based social engineering
  • Geolocation & account flagging
  • SIM swapping, vishing & SMS phishing
  • Physical stalking, mail fraud & identity verification
  • Geolocation & property fraud
  • Title washing & vehicle fraud

Threat Actor: ShinyHunters

ShinyHunters
Social Engineering

Attribution and method are based on available breach intelligence. Reported attack vector: Social Engineering.

Recommended Actions

If you believe your information may be included:

Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the CarGurus breach?

CarGurus, the publicly traded online automotive marketplace, suffered a data breach in February 2026 claimed by the cybercriminal group ShinyHunters. The group is known for large-scale data theft followed by extortion attempts, and the data was publicly released after an alleged failed extortion…

What data was exposed?

Verified fields include Email Address, Full Name, IP Address, Phone Number, Physical Address, Vehicle VIN.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
DataBreach.com
Record & field corroboration
Breach Index
Have I Been Pwned
Record & field corroboration
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation