Alleged CarGurus Data Leak Exposes 12.4 Million Records
A hacking group known as ShinyHunters has published a 6.1GB dataset it claims was taken from CarGurus, the U.S.-based auto shopping site that attracts about 40 million monthly visitors, allegedly exposing 12.4 million user records. Security site Have I Been Pwned, which has added the data to its breach database, says the information includes names, email and physical addresses, phone numbers, IP addresses, account IDs, dealer and subscription details, and finance pre‑qualification application data and outcomes, with roughly 3.7 million records not seen in prior leaks. ShinyHunters, which has a track record of leaking company data after failed ransom talks, is believed to have obtained access through social‑engineering attacks on employees rather than direct technical exploits. CarGurus, in a statement to the outlet, acknowledged a recent 'cybersecurity incident,' said it had contained the activity and was working with a leading cybersecurity firm, and claimed there is no indication core systems or dealer data feeds were affected, though it has not publicly confirmed the full scope or authenticity of the leaked dataset. Cybersecurity researchers warn that if the data is genuine, the combination of personal identifiers and financing‑related information could fuel targeted phishing, fake loan offers and identity‑theft attempts against U.S. consumers who used the platform for car searches or pre‑qualification.
đź“Ś Key Facts
- ShinyHunters published a 6.1GB file on Feb. 21 claiming to contain 12.4 million CarGurus user records.
- Have I Been Pwned reports the data includes contact details, account IDs, dealer and subscription information, and finance pre‑qualification application data and outcomes.
- Roughly 70% of the dataset overlaps with previous breaches, but about 3.7 million records are newly exposed.
- CarGurus has acknowledged a 'cybersecurity incident' and says it has contained the activity and seen no indications core systems or dealer data feeds were affected.
- ShinyHunters is known for using social‑engineering tactics on employees to gain access to cloud systems storing customer data.
đź“Š Relevant Data
In 2021, the prevalence of identity theft victimization in the past 12 months was 10.3% for White non-Hispanic U.S. residents age 16 or older, compared to 8.2% for Black non-Hispanic, 6.1% for Hispanic, 6.5% for Asian/Native Hawaiian/Other Pacific Islander, and 13.0% for other races (including American Indian or Alaska Native and two or more races). These rates indicate significant differences, with Whites having higher rates than Blacks, Hispanics, and Asians, and other races higher than Whites. For context, U.S. population shares (2020-2024 estimates) are White alone, not Hispanic or Latino 57.5%, Black alone 13.7%, Hispanic or Latino 20.0%, Asian alone 6.7%, Native Hawaiian and Other Pacific Islander alone 0.3%, American Indian and Alaska Native alone 1.4%, and two or more races 3.1%. Whites comprised 70.2% of victims, overrepresenting their 57.5% population share, while Blacks comprised 10.8% of victims (under their 13.7% share), and Hispanics 11.6% (under their 20.0% share).
Victims of Identity Theft, 2021 — Bureau of Justice Statistics
The number of data compromises in the United States increased from 1,859 in 2021 to 3,322 in 2025, while the number of records exposed fluctuated, rising from 351.83 million in 2021 to a peak of 1,367.12 million in 2024 before dropping to 278.83 million in 2025.
Number of data breaches and exposed records in the United States from 2005 to 2025 — Statista
đź“° Source Timeline (1)
Follow how coverage of this story developed over time