CarGurus has suffered a data breach attributed to the ShinyHunters threat group, exposing more than 12 million email addresses along with sensitive personal and financial information.
The incident has now been added to Have I Been Pwned (HIBP), which confirmed the authenticity of the leaked data following its standard verification process.
The incident occurred earlier this month and impacted approximately 12.5 million accounts. The data was allegedly stolen by ShinyHunters, a well-known cybercrime collective with a long history of targeting high-profile organizations and leaking stolen databases on dark web forums and extortion portals.
The exposed data was published publicly after an attempted extortion against CarGurus reportedly failed. A listing on ShinyHunters’ dark web portal advertised “Over 12.4M records containing PII and other internal corporate data,” offering a 6.1GB compressed archive for download. The threat actor claimed the dataset included user information and internal records, a claim now partially corroborated by HIBP’s analysis.
HIBP states that the leaked files contained over 12 million unique email addresses distributed across multiple datasets. These included user account ID mappings, finance pre-qualification application data, dealer account and subscription information, as well as auto finance application outcomes. Impacted personal data fields include names, phone numbers, physical addresses, IP addresses, and email addresses.
CarGurus is a major US-based online automotive marketplace that connects car buyers and sellers, including dealerships. Founded in 2006 and publicly traded on NASDAQ, the company serves millions of users monthly and offers vehicle listings, price-comparison tools, dealer services, and auto-financing pre-qualification features. The exposure of finance-related application data significantly increases the potential risk to affected individuals, as such information may be leveraged in targeted phishing, identity theft, or social engineering attacks.
At the time of writing, CarGurus has not published an official statement regarding the breach. It is important to note that while HIBP performs its own review process to verify the legitimacy and structure of breached datasets before adding them to its service, inclusion in HIBP does not constitute official confirmation from the affected organization.
Users with CarGurus accounts are advised to remain vigilant against phishing emails, monitor financial accounts and credit reports for suspicious activity, reset their passwords, and enable multi-factor authentication when available.
Leave a Reply