On February 21, a hacking group called ShinyHunters dumped a 6.1-gigabyte archive of CarGurus user data onto the dark web. 12.5 million accounts. Names, emails, phone numbers, physical addresses, IP addresses, and auto finance application data, all publicly available to anyone who knew where to look.
CarGurus confirmed a "now-contained cybersecurity incident" three days later (per TechCrunch, February 24). By early March, class action lawsuits were filed in Massachusetts federal court.
That's the headline. The bigger story is what car shopping sites collect from you in the first place.
What CarGurus Had on File
The leaked archive contained multiple data sets, according to SecurityWeek: user account ID mappings, finance pre-qualification application data, and dealer account information. For users who'd submitted finance applications through the platform, the exposed data potentially included the information you'd expect on a credit application. Names. Addresses. Employment details. Application outcomes.
CarGurus stated that credit card numbers and Social Security numbers were not stored on the affected systems. But everything else paints a detailed picture of who you are, where you live, what you can afford, and what car you're trying to buy.
The Data That Car Shopping Sites Collect
CarGurus isn't unique here. Every major car shopping platform collects similar data. When you browse listings, submit a lead form, or run a finance pre-qualification, you're handing over information that would make an identity thief's job significantly easier.
Here's what a typical car marketplace has after a few interactions:
- Browsing data: What you searched for, what you clicked, how long you looked, your price range
- Contact info: Name, email, phone number (from lead forms)
- Location data: IP address, zip code, sometimes precise GPS
- Finance info: Income, employment, credit tier (from pre-qualification tools)
- Device fingerprint: Browser type, operating system, screen resolution
CDK Global, the platform powering most dealership software in the US, has data on roughly 250 million unique car shoppers, according to DealershipGuy. That's not a typo. They track complete customer journeys across purchases, service visits, and shopping behavior.
And that's just the marketplace side. Modern connected cars generate about 25 gigabytes of data per hour (per the Mozilla Foundation). Trip history, driving patterns, contacts synced from your phone. About 90% of new cars share this data with third parties.
What Happens When This Data Gets Out
The CarGurus breach is a case study. ShinyHunters, the group behind the attack, is known for social engineering: calling up help desks, pretending to be employees, getting passwords reset. They demanded a ransom from CarGurus. When CarGurus didn't pay, the data went public.
Two class action lawsuits followed within weeks: Ramirez v. CarGurus and Infield v. CarGurus, both filed in the U.S. District Court for the District of Massachusetts (per Bloomberg Law). The plaintiffs allege negligence, breach of implied contract, and unjust enrichment.
For the 12.5 million users in that archive, the risk is real. Phishing emails that reference the exact car you were shopping for. Scam calls from people who know your name, address, and budget. If you used the finance pre-qualification tool, enough data to attempt identity fraud.
How to Check If You Were Affected
Go to Have I Been Pwned and enter the email address you used on CarGurus. The breach was added to the database on February 22. If your email shows up, assume your name, phone number, and address were exposed too.
If you submitted a finance application through CarGurus:
- Freeze your credit at all three bureaus (Equifax, Experian, TransUnion). It's free and takes about 10 minutes per bureau
- Monitor your credit reports at annualcreditreport.com for unfamiliar inquiries
- Watch for targeted phishing. If someone emails or calls referencing the exact car you were searching for, that's the breach data at work
How to Shop for Cars Without Giving Everything Away
You don't have to hand over your life story to browse car listings. Some practical steps:
Use a separate email. Create one specifically for car shopping. If it gets breached, your primary accounts aren't exposed.
Skip the finance pre-qualification tools on marketplaces. Go to your bank or credit union directly. They'll give you a rate without your financial data sitting in a car platform's database.
Don't fill out lead forms unless you're ready to buy. Every "get a quote" button sends your contact info to the dealer and stays in the platform's system indefinitely.
Read the privacy policy. Nobody does this. CarGurus' policy, like most, gives them broad rights to share your data with affiliates and partners. Know what you're agreeing to.
The Oregon universal opt-out law, which took effect in January 2026, now requires companies to honor requests to delete your data. California, Virginia, and 13 other states have similar protections. Use them.
The Uncomfortable Truth
Car shopping in 2026 means giving up more personal data than most people realize. The sites that make it easy to browse listings and compare prices are also building detailed profiles of your finances, location, and buying intent. When those systems get breached, and they will, that profile becomes a weapon.
The CarGurus breach wasn't the first. CDK Global was hit in 2024, knocking out 15,000 dealerships for days. It won't be the last.
CarScout's market pages show real pricing data: what cars are selling for, how long they sit, and how prices compare across your area. You get the data you need to negotiate without submitting lead forms or finance applications to a marketplace that stores it all indefinitely.
Shop with data. Keep your data to yourself.