CarGurus reportedly hit by ShinyHunters as 12.5 million accounts potentially compromised. Has your personal information been exposed?
Join the Claim isn’t a law firm. We connect you with regulated UK firms that run group action claims. If one of our partner firms takes this case forward, we’ll share more details, including how to check your eligibility.
Register your interest
Overview
Online car marketplace CarGurus is the latest company to be targeted by the hacking group known as ShinyHunters.
According to posts on the group’s data leak site and multiple media reports, the attackers claim to have stolen up to 1.7 million records. Some reports suggest the dataset may contain more than 12 million email addresses across multiple files.
The group is also said to have issued a public ultimatum, warning CarGurus to make contact by a specified deadline or risk having the data published on the dark web. This is a tactic commonly used in ransomware-style extortion attempts.
According to reports, the exposed data could include:
• Names
• Email addresses
• Phone numbers
• Physical addresses
• IP addresses
• Information linked to finance pre-qualification applications
• Dealer account and subscription data.
If you have used CarGurus and your personal data has been compromised, you may be entitled to compensation. In the US, lawsuits have already been launched over the data breach.
Register your interest today and we will keep you updated if one of our regulated UK partner law firms is able to take a claim forward.
CarGurus data breach – At a glance
Why register with Join the Claim?
Join the Claim is bringing people together — uniting those who want answers, accountability and stronger data protections from the businesses they trust.
Staying informed is the first step towards change. By registering alongside others affected, you’re showing that people expect better. And that when something goes wrong, they want to see it put right.
What do we know about the CarGurus data breach?
How Join the Claim works
Take a moment to answer a few simple questions so we can understand your connection and keep you updated.
Share your details so we can keep you informed if any updates become available.
If a partner law firm takes this claim forward, we’ll let you know the next steps and how to join.
Latest updates on the CarGurus data breach
10 March 2026
According to one proposed class-action lawsuit in the US*, CarGurus Inc. has not yet acknowledged the data breach that allegedly exposed the personal information of more than 12 million customers.
The action claims that "that defendant's negligent security practices led to a data breach exposing 12.4 million records containing sensitive personal and financial information, while failing to provide timely notification to affected individuals who learned of the breach through media reports."
13 February 2026
ShinyHunters claims it gained access to CarGurus systems as part of a wider campaign of vishing attacks targeting multiple organisations.
Posts appear on the group’s data leak site warning CarGurus to respond before data is published.
In the US, lawsuits are launched over the data breach.
We’ll provide more updates on the data breach as they occur.
Are you affected by the CarGurus data breach?
Register to stay updated and we’ll let you know if a partner law firm takes this claim forward.
Frequently asked questions about the CarGurus data breach
A hacking group known as ShinyHunters has claimed responsibility for breaching CarGurus systems. The group alleges that it obtained access to internal systems through voice phishing (vishing) techniques and extracted personal and corporate data.
Based on reports so far, the compromised data may include:
Breaches involving personal data can increase the risk of:
If you are based in the UK and your personal data was compromised due to a company’s failure to protect it properly, you may have the right to seek compensation under data protection law. Whether a claim is possible will depend on:
Register your interest today and we will keep you updated if one of our regulated UK partner law firms is able to take this claim forward.
We are not a law firm. Our role is to keep people informed about potential group actions if one of our regulated UK partner law firms is able to take this claim forward.
By registering, you’ll stay up to date with any developments — from investigations to possible legal action.
No. Registering simply means you’ll receive updates. If a law firm later takes on the case, you’ll be given the option to learn more about the process and any potential costs before deciding whether to take part.
A group action claim allows people affected by the same issue to take action together. This strength in numbers helps stand up to big organisations. Join the Claim helps connect people with law firms so these actions have a real impact.
You might also like
We connect consumers with their legal dream teams to ensure they get the compensation and support they deserve.
Join the Claim is not a law firm. We connect individuals with top law firms for group action claims, and our service is free to use. While we may receive a fee from the law firms we introduce you to, this will not affect your costs or compensation. We are not responsible for the advice or services provided by these firms. Please note, nothing on this website is legal advice, and while we check claim eligibility, we cannot guarantee a law firm will accept a case.
Join the Claim is a registered trading name of Big on Media ltd. Big on Media is registered in the United Kingdom under licence number 09878028 with its registered office located at Big on Media, 32 Eyre Street, Sheffield, England, S1 4QZ
© Join the Claim All Rights Reserved |
