Have you had your personal data leaked by CarGurus?
KP Law are investigating a substantial data breach by automotive retailer CarGurus. It is believed that over 12 million account holders could be affected.
If you believe you may have been affected by this serious cyber incident then let KP Law know today.
In February 2026 CarGurus was reportedly infiltrated by the cybercrime group ShinyHunters. While the group initially claimed to have accessed 1.7 million customer records, cyber experts have suggested that the stolen data may in fact contain the personal data of over 12 million customers. Data accessed illegally could include details such as names, home addresses, email addresses, phone numbers and information linked to finance pre-qualification applications.
KP Law is building a claim against CarGurus. This is a severe breach and we understand the potential impact on those affected. We believe you deserve justice. If you had/have an account with CarGurus, you may qualify to join our claim.
Notorious cybercriminal group ShinyHunters claimed to have infiltrated CarGurus internal systems sometime in February 2026. The data was reportedly stolen through a “vishing” or voice phishing attack, where criminals impersonate IT staff over the phone in order to trick staff into handing over login credentials or two factor authentication codes. 1.7 million records containing personally identifiable information were accessed and up to 12.5 million accounts were leaked on the dark web in a 6.1GB archive in the days after.
This data has reportedly been exfiltrated and has been made available for download on the dark web.
In the wake of the breach CarGurus launched an internal investigation in partnership with a cybersecurity firm. They claim to have reached out to dealerships to alert them to the breach and say that the dealerships should have reached out to those affected. They do not believe that any account passwords were stolen, but recommend customers use strong passwords as a precaution.
You may be eligible for the claim if you:
Under the UK GDPR and Data Protection Act 2018, you are entitled to compensation if you suffer either material or non-material damage due to a data breach.
Our team at KP Law has a strong track record of holding large corporations accountable for data misuse and privacy breaches. We operate on a no-win, no-fee basis, so there’s no cost to you unless your claim is successful.
KP Law is one of the leading law firms in England & Wales, specialising in what is often referred to as group action litigation. We champion the rights of individuals, acting as someone on your side to help hold businesses to account when they let you down.
Click the link below to our sign-up form which will take around 15 minutes to complete. We’ll keep your information secure, and we’ll keep you updated as the case progresses.
If you believe your data may have been accessed, you should follow the below steps to protect yourself from further harm:
Change your login details for CarGurus, and ensure your other accounts use strong, unique passwords. Customers were also advised to change passwords and enable two-factor authentication (2FA) at the same time as a precautionary measure.
Stay alert for suspicious calls, texts or emails. Whilst the breach included limited betting account information and recent activity on accounts, there's still a risk that even limited personal information could be used in phishing scams.
Be aware of any unexpected activity on your accounts - consider getting a copy if your credit file to check for identity misuse after the breach.
Learn how to stay safe following a data breach:
While each case is judged on its own merits, there are some things we would typically look for when it comes to when claiming compensation following a data breach, cybercrime or other GDPR violation:
Financial loss
With stolen data, cybercriminals can make purchases using your bank and credit cards, apply for credit in your name, set up fraudulent bank accounts and access your existing online accounts.
Distress
GDPR failures, cybercrime and data breaches can have a significant impact on you, both mentally and physically. They can cause or exacerbate anxiety, stress and other psychological conditions.
Loss of privacy
Your questions answered
See our answers to the FAQs we get asked about the CarGurus Data Breach.
CarGurus is an automotive shopping website headquartered in the USA that compares local dealerships on behalf of consumers.
In February 2026, a cybercriminal group known as ShinyHunters claim to have accessed Cargurus internal systems, likely through a method known as “vishing”, or voice phishing where the criminal calls an employee of a company posing as a member of the IT team. They will ask the employee for passwords or other sensitive information that can help them gain access to wider company systems.
After the ShinyHunters group gained access to Cargurus systems, they accessed 1.7 million private company records, and threatened to release the data publicly unless a ransom was paid.
Sometime later, a 6.1GB archive was leaked on the dark web, containing up to 12 million email addresses of Cargurus customers.
CarGurus posted the following information on their website for affected customers here.
Your dealership should have contacted you if your data was accessed. If you haven’t received a notification, but you are worried that your data has been leaked, sign up using our link, and we will investigate on your behalf.
Anyone who thinks they might be involved should take immediate steps to protect themselves. Find out how to do this here.
If you believe that you may have been affected by the CarGurus data breach, register to receive updates on our investigation. We’ll let you know what’s happening, and if and when you can make a data breach compensation claim.
A group action claim is where a group of people – sometimes even thousands of people – have been affected by the same issue. Group action cases are also known as class actions, multi-claimant, or multi-party actions.
There are no costs to join our claim. However, if your claim is successful, you may have to pay a ‘success fee’. This fee is taken from the compensation awarded to you. At KP Law, our success fee is competitive, and we make sure you are fully informed about any potential costs before you officially join our action. If you lose, you won’t have to pay a penny.
If your dealership was affected by the data breach, you may be able to join our claim. Please fill out the registration form and one of our team will be in touch with further information.
OR
Unfortunately, as a business entity, the dealerships themselves are not within the scope of our claim. You may be able to find support and file a complaint on the Information Commissioners Office (ICO) website here: https://ico.org.uk/
