The automotive marketplace CarGurus has confirmed a significant cybersecurity incident resulting in the exposure of personal information for 12.5 million users. The breach involved the theft of sensitive customer data, including full names, email addresses, phone numbers, and physical addresses.
Data Breach Scope and Attribution
The scale of the incident was brought to light by Have I Been Pwned, a prominent data-breach notification service. According to security researcher Troy Hunt, the compromised records total 12.5 million CarGurus accounts. Digital forensics experts have attributed the intrusion to the notorious hacking collective known as ShinyHunters.
ShinyHunters is widely recognized for employing advanced social engineering tactics, such as manipulating help desk personnel to bypass password protocols. The group has a documented history of high-profile attacks, including the theft of over a billion records from Salesforce clients and breaches targeting major universities and fintech entities.
Company Response and Security Status
CarGurus, established in 2006, serves as a hub for vehicle purchasing, selling, and financing. Company spokesperson Maggie Meluzio confirmed the incident, stating that the situation is currently contained.
“There are no indications that dealer data feeds, APIs, or core systems or products used by our consumers or dealer partners have been compromised,” Meluzio stated, emphasizing that services remain fully operational. The company has committed to notifying all affected individuals in compliance with legal requirements and did not contest the figures provided by Have I Been Pwned.
Nature of the Stolen Information
Beyond basic contact details, the leaked dataset includes deeper account information. Reports indicate the exposure of user account ID mappings, finance prequalification application data, as well as specific dealer account and subscription details.
Rising Threats in the Automotive Sector
This incident marks the second major automotive-related data breach identified by Have I Been Pwned this year. The sector previously faced a security failure involving CarMax, where hackers attempted to extort the company before leaking the personal data of approximately 431,000 individuals.