Data Breach Automotive / E-commerce · United States · February 2026

CarGurus

Analysis of the CarGurus data breach reportedly exposing 12.4 million user records including hashed passwords.

Records Affected

12.4 million users

Attack Type

Data Breach

Location

United States

Data types exposed

Names email addresses phone numbers physical and IP addresses hashed passwords auto finance application data dealer account information

What Happened

In February 2026, data from approximately 12.4 million CarGurus user accounts was reported exposed. The compromised data includes account records, names, email addresses, and hashed passwords.
The inclusion of hashed passwords is significant. The level of risk depends on the hashing algorithm used. Weaker algorithms like MD5 or SHA-1 without salting can be cracked relatively quickly using modern hardware.

Timeline

  • February 13, 2026 — Breach occurs via social engineering of Okta SSO credentials
  • February 2026 — ShinyHunters initially claims 1.7 million records
  • February 2026 — 6.1GB archive reportedly leaked containing 12.5 million accounts
  • February 2026 — Have I Been Pwned lists affected accounts

Threat Actor Profile

ShinyHunters is a prolific data breach group active since 2020, responsible for breaches at dozens of organisations. In early 2026, the group conducted a coordinated campaign targeting Okta SSO credentials via voice phishing (vishing).
The group's typical modus operandi involves compromising SSO credentials to gain broad access to cloud environments, then allegedly exfiltrating and publishing data when extortion demands are not met.

Impact and Risk Assessment

For Individuals

12.5 million users had account data exposed including names, email addresses, phone numbers, and hashed passwords.
Auto finance pre-qualification application data may include Social Security numbers and financial details for users who applied for vehicle financing.
70% of the leaked email addresses were already present in Have I Been Pwned from previous incidents, compounding existing exposure.

For Organisations

Auto dealers using the CarGurus platform may have had their account information and business data exposed.
Organisations in the automotive finance sector should monitor for fraud attempts using compromised pre-qualification data.

Regulatory Context

If SSNs from finance applications were included, state breach notification laws and potentially federal financial regulations apply.

What Should You Do?

For Individuals

  • Change your CarGurus password immediately and any other accounts where you used the same password.
  • If you submitted a finance pre-qualification application through CarGurus, monitor your credit reports for unauthorised inquiries.
  • Be alert to phishing emails impersonating CarGurus or auto finance providers.

For Security Professionals

  • Prioritise phishing-resistant MFA implementations such as FIDO2/WebAuthn that cannot be bypassed through vishing attacks.
  • Review your SSO configuration to ensure that a single compromised account cannot provide access to entire customer databases.

Learnings and Recommendations

The inclusion of hashed passwords is a reminder that hashing is a defence in depth, not an absolute guarantee. The strength depends on the algorithm, salting, and computational cost factor.
Any organisation storing user credentials should evaluate whether their hashing implementation would withstand an attacker with access to the hash database and modern GPU hardware.
This advisory summarises a publicly reported cybersecurity incident for educational purposes. Information is sourced from publicly available reports and may include claims that are unverified or disputed. Inclusion does not imply fault or negligence by the affected organisation.
Back to all advisories