CarGurus Class Action, Hackers Stole Your Data and the Company Stayed Silent

Two federal class action lawsuits filed in February 2026 claim CarGurus Inc. failed to protect the personal information of up to 12.4 million users after a hacking group broke in through a social engineering attack. The suits were filed in Massachusetts federal court on February 26, 2026 by plaintiffs David Ramirez and Nancy Infield. No settlement exists. The case is in early litigation.

Quick Facts

Field	Detail
Settlement Amount	None — active litigation
Claim Deadline	N/A
Who Qualifies	CarGurus users whose PII was exposed in the February 2026 breach
Payout Per Person	TBD
Proof Required	TBD
Settlement Status	No settlement — litigation phase only
Administrator	TBD
Official Website	TBD

Where Things Stand Right Now

• Both lawsuits are in their earliest stages — no class has been certified and no settlement negotiations have been reported.
• CarGurus has acknowledged the incident publicly but disputes the scale and severity of what was taken.
• No claim form exists. Affected users should preserve any breach notifications, CarGurus account records, and evidence of financial harm.

A Hacker Group Tricked Employees Into Opening the Door

The incident reportedly occurred on or about February 13, 2026, and came to public attention when cybersecurity consultant Troy Hunt, founder of the breach notification service Have I Been Pwned, published data showing CarGurus user PII had been compromised. The platform connects millions of car buyers with dealerships across the United States and collects names, addresses, phone numbers, and in some cases, financial pre-qualification details.

According to reports, attackers impersonated IT support staff and contacted CarGurus employees by phone. Using social engineering, they tricked employees into providing Single Sign-On codes — bypassing multi-factor authentication and walking directly into the company’s internal systems. This method is known as “vishing,” a voice-based form of phishing.

The hacking group ShinyHunters, known for high-profile extortion operations, claimed responsibility. The group first demanded a ransom from CarGurus, and when those demands went unmet, published the stolen data on a dark web leak site.

Related article: 150M Adobe Hidden Fees Subscription Settlement Adobe Hid Cancellation Fees for Years. Here’s What You May Be Owed.

What Was Actually Taken — and How Big Is This Really?

The size of the breach depends on the source, and the numbers conflict. ShinyHunters initially claimed to have exfiltrated approximately 1.7 million records. On February 21, 2026, the group published a 6.1 gigabyte archive purportedly containing 12.4 million records. The Have I Been Pwned platform then ingested the dataset the following day.

While some of the exposed data appears to have originated from older leaks, breach monitoring service Have I Been Pwned estimates that roughly 3.7 million records were newly compromised in this incident. The stolen data reportedly includes names, email addresses, phone numbers, physical addresses, IP addresses, and in some cases finance pre-qualification details.

The complaint alleges CarGurus failed to provide timely notification to affected users, who reportedly learned of the breach through media reports rather than directly from the company. According to the Infield complaint, CarGurus breached its duties under common law, contract law, industry standards, and the FTC Act to implement reasonable and adequate data-security measures.

The Laws Behind the Claims

• California Consumer Privacy Act (CCPA) — Gives California residents the right to know what personal data a company collects, how it is used, and recourse when it is mishandled. Plaintiff Ramirez asserts this claim under California law.
• Negligence (Common Law) — Alleges CarGurus owed users a duty of care to protect their data and breached that duty through inadequate security practices.
• Breach of Implied Contract — Claims users had a reasonable expectation that their data would be protected when they agreed to use CarGurus services.
• Unjust Enrichment — Alleges CarGurus financially benefited from collecting and monetizing user data while failing to adequately secure it.
• FTC Act (Section 5) — Prohibits unfair or deceptive acts in commerce. The complaint alleges CarGurus’ security failures and delayed notification qualify as unfair practices.

You Used CarGurus to Shop for a Car — Here’s Whether You’re in the Class

You may qualify if:

• You created a CarGurus account or used the platform to search for vehicles at any point before February 2026
• You submitted personal information including your name, phone number, address, or email to CarGurus
• You completed a finance pre-qualification inquiry through the platform, which may have exposed additional financial data
• You received a breach notification from CarGurus or discovered your information through a service like Have I Been Pwned following the February 2026 incident
• You are located anywhere in the United States (a California-specific subclass also exists for CCPA claims)

No action is required right now. Save any purchase records, receipts, or confirmation emails — these may matter if a settlement is reached.

CarGurus Said the Damage Was “Limited.” Plaintiffs Say Otherwise.

CarGurus did not stay silent. A company spokesperson provided this statement: “We recently experienced a cybersecurity incident; we secured the affected environment and launched an investigation with the assistance of a leading independent cybersecurity firm. Based on our investigation to date, the activity has been contained and limited in scope.” The company also stated: “At this time, it doesn’t appear that the incident involved a broad set of highly sensitive data; however, our investigation remains ongoing.”

CarGurus also confirmed that dealer data feeds, APIs, and core systems used by dealer partners were not compromised, and that services remain fully operational.

The plaintiffs’ complaints directly challenge that framing — arguing the breach exposed millions of records and that users were not notified promptly. The court has not ruled on these competing positions. As of the date of filing, CarGurus had not yet formally acknowledged the full scope of the breach in a public statement.

The Road Ahead for This Case

• Defendants file their answer: CarGurus will formally respond to each complaint and may move to dismiss on legal or procedural grounds.
• Discovery begins: Both sides will exchange documents, internal security audits, breach timelines, and communications related to the incident and notification decisions.
• Class certification hearing: Plaintiffs must show the court that Ramirez, Infield, and all similarly affected users share enough in common to be treated as a single class — this is the defining hurdle for any class action.
• Potential consolidation: With multiple suits filed around the same incident, a judge may consolidate them into a single proceeding to avoid duplication.
• Settlement or trial: Data breach cases of this scale frequently settle after class certification — but no talks have been reported at this stage. If no agreement is reached, the case proceeds to trial.

Timeline: Class certification alone typically takes 12–18 months. A resolution of any kind is likely at minimum two years away.

This page will be updated as the case develops.

Important Case Dates

Milestone	Date
Breach Occurred	On or about February 13, 2026
ShinyHunters Published Stolen Data	February 21, 2026
Lawsuits Filed	February 26, 2026
Defendant Answer Due	TBD
Discovery Period	TBD
Class Certification Hearing	TBD
Trial Date	TBD
Settlement	TBD

What People Are Searching About This Breach

Is this CarGurus lawsuit real? 

Yes. Two separate cases are on file in the U.S. District Court for the District of Massachusetts — Ramirez v. CarGurus Inc., Case No. 1:26-cv-11003, and Infield v. CarGurus Inc., Case No. 1:26-cv-10996.

Can I file a claim against CarGurus right now? 

No. No claim form exists and no settlement has been reached. There is nothing to file at this stage. Monitor this page for updates.

Do I need my own lawyer to join this class action? 

No. If the class is certified and a settlement is eventually approved, affected consumers are typically notified and can file without hiring their own attorney. The plaintiffs’ lawyers represent the class.

When will I receive a payment? 

No payment timeline exists because no settlement has been reached. Data breach class actions of this scale typically take two or more years to resolve.

What if I miss a future claim deadline? 

If you miss a claim deadline after a settlement is reached, you will generally lose your right to a payout but remain bound by the settlement’s release of claims. Set a reminder to check back here for deadline alerts.

Will a settlement payment count as income on my taxes? 

Possibly, depending on how the payment is classified. Payments for economic losses are typically not taxable, while payments for emotional distress may be. Consult a tax professional when the time comes.

My data showed up on Have I Been Pwned — does that confirm I’m in the class? 

It is strong evidence that your information was part of the CarGurus dataset, but class membership will ultimately be defined by the court when and if a class is certified. Keep that notification as a record.

Should I worry about my car financing details being exposed?

 The stolen data reportedly includes finance pre-qualification application outcomes, which combined with names and addresses gives identity thieves enough information to attempt fraudulent credit applications in your name. Place a fraud alert with the major credit bureaus and monitor your credit reports.

Sources & References

• Ramirez v. CarGurus Inc., Case No. 1:26-cv-11003, U.S. District Court for the District of Massachusetts — PACER docket TBD
• Infield v. CarGurus Inc., Case No. 1:26-cv-10996, U.S. District Court for the District of Massachusetts — PACER docket TBD

Last Updated: March 25, 2026

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Legal claims and outcomes depend on specific facts and applicable law. For advice regarding a particular situation, consult a qualified attorney.