ShellCodeX Breach Report
CarGurus Data Breach
cargurus.com
Verified breach
Accounts exposed
12,461,887
Breach date
14 Feb 2026
Added to tracker
22 Feb 2026
Data classes
5
What happened
In February 2026, the automotive marketplace CarGurus was the target of a data breach attributed to the threat actor ShinyHunters. Following an attempted extortion, the data was published publicly and contained more than 12M email addresses across multiple files including user account ID mappings, finance pre-qualification application data and dealer account and subscription information. Impacted data also included names, phone numbers, physical and IP addresses, and auto finance application outcomes.
Exposed data
Email addresses
IP addresses
Names
Phone numbers
Physical addresses
Recommended actions
- Watch for targeted phishing emails referencing CarGurus โ attackers weaponise breach data quickly.
- Stay alert for smishing (SMS phishing) and SIM-swap attempts using your phone number.
- Exposed identity data raises identity-theft risk โ consider credit monitoring or a credit freeze.
- Check whether your email address appears in this breach on haveibeenpwned.com.
Am I affected?
Check whether your email address appears in this breach.
Check on HIBP