CarGurus Inc logo visible on display screen.

CarGurus data breach: 12 million email addresses possibly exposed

Reports have emerged that online car marketplace CarGurus has been targeted by the hacking group ShinyHunters, with claims that more than 12 million email addresses appear across leaked data files. 

We have already been contacted by individuals concerned that their personal information may have been caught up in the breach.

Here’s what we know so far, and what it could mean if you’re affected.  

What has been reported?

According to posts on the group’s data leak site and coverage in the technology press, ShinyHunters claims to have breached CarGurus systems in February 2026. 

The group alleges it extracted around 1.7 million corporate records. However, breach-monitoring sources suggest the wider dataset may include more than 12 million email addresses across multiple files, alongside other personal information. 

The attackers are also said to have issued an ultimatum, warning CarGurus to respond before a deadline or risk having the data published on the dark web, a tactic commonly associated with ransomware-style extortion. 

Based on reports so far, the exposed data could include:

  • Names
  • Email addresses
  • Phone numbers
  • Physical addresses
  • IP addresses
  • Finance pre-qualification application data
  • Dealer account and subscription information.  

How did the attack happen?

Security experts have linked this incident to a broader campaign of “vishing” attacks attributed to ShinyHunters. 

Vishing — short for voice phishing — involves attackers impersonating IT staff over the phone. Employees are persuaded to reset login credentials or reveal multi-factor authentication (MFA) codes.

Once access to a single sign-on system is gained, attackers can move across internal systems and extract large volumes of data.

Several well-known organisations have reportedly been targeted using similar tactics in recent months. 

What harm could this cause?

If your information was included, you could face: 

  • Increased phishing emails designed to look like legitimate car finance or dealership communications
  • Scam phone calls using personal details to appear convincing 
  • Identity fraud, particularly if address and date-of-birth information were involved
  • Financial scams linked to finance pre-qualification data 
  • Account takeover attempts if email addresses are reused elsewhere. 

Cybercriminals often combine breached datasets with information from other leaks to build detailed profiles of individuals. That makes subsequent scams more sophisticated and harder to spot. 

For many people, the impact is not just financial. The stress and uncertainty caused by a data breach can be significant.

Since reports of the alleged breach emerged, we have been contacted by individuals who believe their data may have been exposed.  

Can you claim compensation?

Under UK data protection law, organisations must take appropriate technical and organisational measures to protect personal data. If it is shown that a company failed to do so, and that failure led to your data being compromised, you may have the right to seek compensation — particularly if you suffered financial loss or distress. 

Whether a claim is possible will depend on: 

  • What data was involved
  • How the breach occurred
  • Whether appropriate safeguards were in place 
  • The impact on you personally. 

At this stage, the facts are still developing. But if you believe you may have been affected, staying informed is sensible. 

What should you do now?

If you have used CarGurus, consider: 

  • Being cautious about unsolicited emails or calls referencing car purchases or finance
  • Checking your accounts for unusual activity
  • Using strong, unique passwords and enabling multi-factor authentication where possible
  • Monitoring your credit file if finance data may have been involved. 

And if you want to stay updated on any regulatory findings or potential legal action with one of our partner law firms, you can register your interest with Join the Claim.  

As more verified information becomes available, we will continue to update our coverage. 

Find out more

Join the Claim connects consumers with SRA-regulated lawyers. Visit the claim page to check your eligibility if a claim is open with one of our trusted legal partners. If a group action has not yet been launched, you can register your interest and we’ll keep you informed if a partner firm decides to take a claim forward.  

This information is for general guidance only and does not constitute legal or financial advice.

Found this helpful? Share it

Facebook
Twitter
WhatsApp
LinkedIn
Email

Or

You may also like:

  • Environment, News, Vehicle

Can BMW drivers claim compensation for the diesel emissions scandal?

BMW faces legal action over emissions-cheating software. Learn what the scandal involves, who is affected, and what it means for UK diesel car owners.
  • Data Breach, Financial, News

Capita data breach: Legal response & ongoing investigations

Capita’s data breach exposed pension holders’ personal data. Stay updated on the latest legal action, investigations, and regulatory responses.
  • News, Vehicle

Jaguar Land Rover DPF claims vs. dieselgate: What you need to know

Confused about Jaguar Land Rover DPF claims vs. Dieselgate? Learn the key differences, legal actions, and how to check if you qualify for compensation.

Latest news & insights

See more

Low-angle view of people walking in a city, symbolising unity and collective action, related to key facts about group litigation for seeking justice.
  • News

10 must-know facts about group litigation for first-time claimants

Discover 10 essential facts about group litigation for first-time claimants. Learn how joining a group...
  • News, Travel

How to claim compensation for flight delays or cancellations in the UK

Delayed 3+ hours or had a cancelled flight? You could claim up to £520 under...
There is a notebook with the word Opt out.
  • News

Billions in compensation is on the table, don’t miss out on your share

Massive UK collective actions could return billions to consumers, yet awareness remains low. Discover the...
Anxious young woman holding a credit card and staring at a tablet concerned about bank app glitch
Lloyds banking app glitch affected nearly 450,000 customers
Lloyds says a software defect caused a banking app glitch that affected up to 447,936 customers.
Metal credit card Mastercard Macro
Mastercard £200m settlement approved but payouts delayed
Millions of UK consumers could receive £45–£70 after the £200m Mastercard settlement.
Mobile Fraud Alert, Phone scam ads, Online Warning. Spam Distribution or Malware Spreading Virus - mobile fraud alert warning notification.
Scam alert update: March 2026
Stay alert this March with the latest scam warnings from Join the Claim
person holding a phone, social media
Social media addiction verdict sparks debate about platform design in the UK
The US verdict against Meta and YouTube is already prompting debate among UK researchers, policymakers and regulators about addictive platform design and child safety.
image of March 2026 calendar and the Join the Claim Logo
What we’ve been working on at Join the Claim in March
Get a round-up of what we’ve been working on this month at Join the Claim, including new claims and updates.
In this photo illustration Apple and Amazon logos are seen on a mobile phone and a computer screen. select focus
Apple and Amazon face £900 million claim over Apple and Beats product sales
A new UK competition claim alleges Apple and Amazon restricted third-party sellers of Apple and Beats products, potentially leading to higher prices for consumers.
Hand Holding Smartphone Shows Social Media
US jury rules against social media giants in addiction case
A US jury has found Meta and YouTube liable in a landmark social media addiction case, awarding $6m in damages.
Moving high-speed train
Train delay compensation changes: what the new rules mean for passengers
New plans could make Delay Repay claims simpler. Here’s what’s changing and what it means for passengers.
man hand hold smartphone and use social media network application
MPs reject social media ban for under-16s as regulators warn tech giants over child safety
MPs have voted against banning under-16s from social media, but UK regulators are increasing pressure on platforms to strengthen child safety protections.
Woman At Home Boiling Kettle For Hot Drink With Smart Energy Meter In Foreground
Smart meter problems: the new 90-day rule that could mean £40 compensation
New rules give energy suppliers 90 days to fix faulty smart meters — and customers could receive £40 compensation if they fail.
Cropped top view of male hands, man typing on laptop keyboard,
Companies House data breach: millions of UK businesses potentially exposed
A Companies House WebFiling error may have exposed director details and company records. Here’s what UK businesses should do now.
There is a notebook with the word Opt out.
Opt-out claims explained
Opt-out claims could return billions to UK consumers. Learn how opt-out collective actions work in our new guide.
The Transport for London logo on an information leaflet
TfL data breach: millions may not realise their information was exposed
Up to 10 million people may have been affected by the TfL data breach, but millions may never realise their personal information was exposed. 
Closeup image of hand holding a digital ID on black background.
Government relaunches digital ID scheme as voluntary system
The UK government has relaunched its digital ID plans as a voluntary system. Why are there still concerns about security and data protection?
No-win, no-fee text in front of an image representing a law concept
Signed a “no win, no fee” claim and having second thoughts? Here’s what to know
Signed a no win, no fee agreement and feeling unsure? Learn how conditional fee agreements, ATE insurance and cooling-off periods work in the UK.

Did you know we have a newsletter?

Sign up for our newsletter to stay up to date.

We connect consumers with their legal dream teams to ensure they get the compensation and support they deserve.

claims
About
Legal
Connect

Join the Claim is not a law firm. We connect individuals with top law firms for group action claims, and our service is free to use. While we may receive a fee from the law firms we introduce you to, this will not affect your costs or compensation. We are not responsible for the advice or services provided by these firms. Please note, nothing on this website is legal advice, and while we check claim eligibility, we cannot guarantee a law firm will accept a case.

Join the Claim is a registered trading name of Big on Media ltd. Big on Media is registered in the United Kingdom under licence number 09878028 with its registered office located at Big on Media, 32 Eyre Street, Sheffield, England, S1 4QZ

© Join the Claim All Rights Reserved |

2026
Go to claims