In February 2026, automotive marketplace CarGurus suffered a massive data breach that exposed the personal information of more than 12 million users. The hacking group ShinyHunters claimed responsibility after using social engineering to bypass multi-factor authentication, and when CarGurus refused to pay a ransom, the stolen data was published on a dark web leak site. Here's what happened and what you should do right now to protect yourself.
What Happened in the CarGurus Breach
On or around February 13, 2026, attackers impersonated IT support staff and contacted CarGurus employees by phone. Using sophisticated social engineering techniques, they tricked employees into providing Single Sign-On (SSO) codes, which allowed the hackers to bypass multi-factor authentication and gain access to internal systems.
The hacking group ShinyHunters initially claimed to have exfiltrated approximately 1.7 million records. However, on February 21, 2026, the group published a 6.1-gigabyte archive on a dark web leak site containing an estimated 12.4 million records across multiple files.
What Data Was Exposed
The breach compromised a wide range of personal information, including:
- Email addresses — more than 12 million across multiple files
- Full names and phone numbers
- Physical addresses and IP addresses
- User account ID mappings
- Auto finance pre-qualification application data
- Finance application outcomes
- Dealer account and subscription information
Financial Data at Risk
If you applied for auto financing through CarGurus, your financial application data may have been exposed. This could include information submitted during pre-qualification, making you a target for identity theft and fraudulent loan applications.
How to Know If You Were Affected
If you ever created a CarGurus account, listed a vehicle, applied for financing, or even browsed while logged in, your data may be part of this breach. CarGurus is facing class action lawsuits and has begun notifying affected users, but you shouldn't wait for an official notification to take action.
You can check whether your email was included in the breach by visiting Have I Been Pwned (haveibeenpwned.com), which has added the CarGurus dataset to its database.
Skip the manual opt-outs
One opt-out won't stop them — brokers relist your data. PrivacyOn removes your info from 100+ sites and keeps it removed.
See where you're exposed — free 60-second scanSteps to Protect Yourself Right Now
1. Change Your CarGurus Password Immediately
If you used the same password on other sites, change those too. Use a unique, strong password for every account and consider using a password manager to keep track of them.
2. Enable Two-Factor Authentication Everywhere
While the attackers bypassed MFA in this breach through social engineering, having two-factor authentication on your accounts still provides critical protection against most attacks. Use an authenticator app rather than SMS-based codes when possible.
3. Monitor Your Credit Reports
Since financial pre-qualification data was exposed, monitor your credit reports closely for any unauthorized inquiries or new accounts. You're entitled to free weekly credit reports from all three bureaus at AnnualCreditReport.com.
4. Consider a Credit Freeze
A credit freeze prevents anyone from opening new accounts in your name. Contact Equifax, Experian, and TransUnion individually to place a freeze. This is free and can be temporarily lifted when you need to apply for credit.
5. Watch for Phishing Attempts
With your name, email, phone number, and physical address exposed, expect an increase in targeted phishing attempts. Be skeptical of any unsolicited emails, calls, or texts — especially those claiming to be from CarGurus, your bank, or auto dealerships.
6. Monitor Your Financial Accounts
Review your bank statements, credit card transactions, and any auto loan accounts for unauthorized activity. Set up transaction alerts so you're notified immediately of any suspicious charges.
File an FTC Report
If you discover any signs of identity theft, file a report at IdentityTheft.gov. This creates an official record and provides a personalized recovery plan. You should also file a report with your local police department.
Remove Your Information From Data Brokers
After a breach of this scale, your exposed data often ends up on data broker and people-search sites, making it even easier for scammers to build a complete profile on you. Removing your personal information from these sites is a critical step in reducing your attack surface.
A service like PrivacyOn can help by continuously monitoring and removing your personal information from 100+ data broker sites. This is especially important after a breach, when your data is being actively traded and aggregated by bad actors. PrivacyOn also includes dark web monitoring to alert you if your information appears in new data dumps.
Legal Actions and What to Expect
CarGurus is currently facing multiple class action lawsuits from consumers who allege the company failed to adequately protect their personal information. If you were affected, you may be eligible to participate in a class action settlement. Keep an eye on official communications from CarGurus and consult with a legal professional if you believe you've suffered damages.
Long-Term Protection Steps
Data breaches are increasingly common, with the average cost now reaching $4.88 million per incident. The trend in 2026 shows attackers increasingly using social engineering — targeting people rather than exploiting software vulnerabilities. Protect yourself long-term by:
- Using unique passwords for every account
- Enabling hardware security keys for your most important accounts
- Regularly checking Have I Been Pwned for new breach exposures
- Keeping your personal information off data broker sites with a service like PrivacyOn
- Being skeptical of anyone asking for authentication codes over the phone
The CarGurus breach is a stark reminder that even large, well-known companies can be compromised through human error. Taking proactive steps now can significantly reduce your risk of becoming a victim of identity theft or fraud.