CarGurus Reported Data Breach

Cybersecurity system warning alert on laptop with AI and data icons, concept of artificial intelligence risks, data breach, malware attack, digital security, and technology protection.

Background

CarGurus, Inc. has reportedly confirmed a cybersecurity incident affecting its systems and user data. The incident, which reportedly occurred on or about February 13, 2026, came to public attention when Troy Hunt, a prominent Australian cybersecurity consultant affiliated with Microsoft and the founder of the breach notification service Have I Been Pwned, published data indicating that personally identifiable information (“PII”) belonging to CarGurus had been compromised.

The Incident

A. Alleged Threat Actor and Attack Vector

The compromised data allegedly includes a broad range of personally identifiable and financially sensitive information. On February 21, 2026, ShinyHunters published a 6.1 gigabyte archive purportedly containing 12.4 million records sourced from CarGurus. The following day, the Have I Been Pwned (“HIBP”) breach monitoring platform ingested the dataset and identified the following categories of compromised data:

email addresses
IP addresses
full names
phone numbers
physical addresses
user account IDs
finance pre-qualification application data
finance application outcomes
dealer account details, and
subscription information.

Responsibility for the breach has been claimed by “ShinyHunters,” a well-documented black-hat threat actor collective with a history of large-scale data exfiltration operations.

ShinyHunters has publicly asserted that the intrusion was executed through social engineering. Specifically, a practice called “vishing” or voice phishing whereby threat actors placed fraudulent telephone calls impersonating trusted entities such as banks, government agencies, or technical support personnel to obtain access credentials. Specifically, the group alleges it used this social engineering methodology to acquire single sign-on (“SSO”) authentication codes associated with Okta, Microsoft, and Google services.

According to reporting by TechRadar and confirmed by ShinyHunters’ own public statements, the group claims to have exfiltrated approximately 1.7 million records containing PII and other internal corporate data. The group has further threatened to publicly dump the stolen data on the dark web unless CarGurus takes remedial action. The CarGurus incident is alleged to be part of a broader campaign comprising at least fifteen separate breaches attributed to “ShinyHunters” and the affiliated group “Scattered Lapsus$ Hunters” since 2025.

B. Company Response

CarGurus has acknowledged the incident in a public statement, indicating that it secured the affected environment upon discovery and retained an independent cybersecurity firm to conduct a forensic investigation. The company’s spokesperson stated, “Based on our investigation to date, the activity has been contained and limited in scope,” and further represented that “it doesn’t appear that the incident involved a broad set of highly sensitive data.” The company additionally represented that dealer data feeds, APIs, and core systems utilized by its dealer partners were not compromised, and that its services remain fully operational. The investigation is reportedly ongoing as of this date.

The inclusion of financial application data is of particular concern, as many state statutes impose heightened requirements and shorter notification windows for breaches involving financial or credit-related records. As of the date of this report, CarGurus has not released an official public breach notification.

What Should Dealers Do Now?

A. Breach Notification Requirements – Determine the Scope of the Data Breached

Public reports indicate that the affected data included highly sensitive personal information that would likely trigger an obligation to notify consumers under various state data breach reporting statutes, as well as the FTC Safeguards Rule. Critically, however, there is currently no indication that any of the data involved in this breach was data that was controlled by dealers at the time of the breach. The various state and federal data breach notice laws use various terms to define the party responsible to provide the notice¹, but the theory is the same. It is the entity that has control over, or rights over, the data that was breached, at the time it was breached, that has the obligation to notify.

Dealers generally engage² with CarGurus as a lead provider, meaning that CarGurus obtains information from consumers and then may pass that information along to dealers. Again, the indication is that the breach occurred in CarGurus’ systems—which would presumably be before it was shared with dealers. If that is so, then should an obligation to notify arise, it appears that obligation will not fall on dealers but on CarGurus themselves and on behalf of themselves.

That said, the reported details for this incident are limited. Dealers should consider confirming that none of the affected data was data that came from a dealer to CarGurus. Should that be the case, the analysis would likely be different.

B. Protect Your Store Against Similar Attacks

The entity claiming responsibility for this attack has victimized several other businesses, including several in the automotive space, with similar attack methods. Dealers are encouraged to remind their personnel to exercise extreme caution before providing sensitive log-in credentials to anyone—particularly if the person is unknown to you, and is pressing you for urgent action.

Unfortunately, these social engineering efforts can be sophisticated. The bad guys aren’t likely to call completely out of the blue, or to be clueless as to context, pretending to be someone you don’t know at all. They will use names you know, details that sound convincing, and, again, will press your team to act because there is an “urgent need” to provide the information they are seeking.

Lastly, if your dealership has shared business information with CarGurus—such as employee email addresses, payment information, or other details—you may want to notify affected employees to be particularly careful with respect to social engineering efforts and attacks such as wire transfer or other types of fraud. This data may have been included in the data that was breached, so additional caution is warranted.

Conclusion

Dealers should continue to monitor this situation and seek details as quickly as they are available to ensure no “dealer data” was involved in this breach incident. Dealers should also remind their employees, and may want to implement enhanced training and controls with particular focus on phone-related fraud attempts. ComplyAuto will report additional relevant information as it becomes available.

The term describing the entity responsible for notifying customers varies across various state data breach notification statutes, including terms such as the entity that “maintains,” “collects,” “owns,” “licenses,” “controls,” etc. the covered consumer data. ↩︎
This does not cover the vehicle inventory data sent by dealers to CarGurus for listing on the site. While dealers should confirm this fact, that data should not include any personal information that would be covered by a breach notice requirement. ↩︎

DISCLAIMER: This article is prepared for informational purposes only and does not constitute legal advice. The analysis herein is based solely on publicly available information and company statements as of February 2026. Readers should consult qualified legal counsel for advice specific to their circumstances.