According to the dealer website blog by the used car advertising platform Auto Ad Manager, CarGurus.com suffered a data breach in February 2026.  This breach is impacting an estimated 12.5 million user and dealer accounts, according to data compiled by HaveIBeenPwned.com.

The breach has been linked to the hacker group known as ShinyHunters, which reportedly attempted to extort CarGurus before releasing the stolen data when their demands were not met.

What Information Was Exposed?

The compromised dataset is extensive and includes both consumer and dealer-related information, such as:

  • Names
  • Email addresses
  • Phone numbers
  • Physical addresses
  • Finance pre-qualification data
  • Dealer account and subscription details
  • IP addresses
  • User account ID mappings

This level of exposure presents meaningful risk — particularly due to the inclusion of financial pre-qualification information and identifiable dealer account data.

cargurus hack february 2026

Screenshot

Who Is Affected?

Both CarGurus users and automotive dealers appear to be impacted.

While the attackers initially claimed to have obtained 1.7 million records, the total number of accounts exposed is now estimated at 12.5 million, based on data surfaced on February 20, 2026.

What Should Dealers and Consumers Do Now?

As of now, CarGurus has not issued a public statement regarding the breach.

If you have an account on the platform, prudent next steps include:

  • Updating your CarGurus password immediately
  • Ensuring that password is not reused on other platforms
  • Placing a fraud alert on your credit file if sensitive personal data may have been exposed
  • Monitoring financial and credit activity for suspicious behavior

Users may also request deletion of their CarGurus account by contacting:

[email protected]

A Broader Industry Reminder

This breach underscores a larger reality for automotive retail and digital marketing platforms:
Any time customer or dealer data is shared with third-party platforms, trust becomes a critical vulnerability point.

Even when companies meet regulatory standards, risks can still emerge through:

  • Inconsistent internal security practices
  • Third-party vendors
  • External integrations

Dealers should consider reviewing:

  • Vendor data-sharing practices
  • Account access policies
  • Use of unique credentials and multi-factor authentication across platforms

Consumers can reduce future risk by:

  • Using unique passwords for each service
  • Enabling two-factor authentication when available
  • Periodically deleting unused accounts

Not an Isolated Incident

Notably, the same group reportedly targeted CarMax earlier this year, exposing data from over 431,000 users following another unsuccessful extortion attempt.

The pattern highlights a growing focus by threat actors on automotive retail platforms — a space increasingly reliant on large volumes of consumer data.