HACKERS claim to have stolen personally identifiable information and internal corporate data from CarGurus, with Have I Been Pwned saying the breach involves information pertaining to approximately 12.5 million accounts. The incident was disclosed last week after the extortion group ShinyHunters added CarGurus to its Tor-based leak site, and initial claims cited 1.7 million records, later expanded to the larger dataset.
Have I Been Pwned notes that the compromised data includes names, addresses, email addresses, phone numbers, and IP addresses. The breach was described as published publicly after an extortion attempt, containing more than 12 million email addresses across multiple files including user account ID mappings and dealer account and subscription information. Have I Been Pwned also observed that roughly 70% of the email addresses in the dataset have been compromised in other data breaches as well.
CarGurus has not yet publicly acknowledged the incident, with SecurityWeek seeking a statement from the company as this develops, dated 25 February 2026. according to Have I Been Pwned