CarGurus Suffers Major Data Breach Affecting 12.5 Million Users
Overview of CarGurus
Founded in 2006, CarGurus has established itself as a prominent automotive research platform and marketplace, operating primarily in the United States, United Kingdom, and Canada. The platform is designed to help users navigate the car buying and selling process, making it a go-to resource for automotive enthusiasts and everyday consumers alike.
Severity of the Breach
Recent reports revealed that CarGurus fell victim to a significant data breach affecting approximately 12.5 million users. This alarming incident was first highlighted on the website Have I Been Pwned, which provides a service for individuals to check if their information has been compromised in data breaches.
Details of the Exposed Data
According to the report, the breach included a trove of sensitive information. Data that was reportedly exposed consisted of over 12 million email addresses alongside various additional details. These included user account ID mappings, finance pre-qualification application data, and subscription information related to dealer accounts.
The breach also compromised personal data such as names, phone numbers, physical addresses, IP addresses, and outcomes of auto finance applications. This extensive dataset puts affected users at risk of identity theft and other cyber threats.
Alleged Perpetrators: ShinyHunters Group
The infamous hacking group known as ShinyHunters has been implicated in this data breach. Their involvement was mentioned in a mid-February report, which stated that they had claimed responsibility for breaching CarGurus and had stolen around 1.7 million corporate records.
In a threatening message, ShinyHunters warned, “This is a final warning to reach out by 20 Feb 2026 before we leak along with several annoying (digital) problems that’ll come your way.” This served as a chilling reminder of the group’s ongoing extortion tactics.
How the Breach Occurred
The initial breach took place on February 13, and it appears that ShinyHunters employed voice phishing techniques to gain unauthorized access. By obtaining single-sign-on codes from platforms like Okta, Microsoft, and Google, the group executed a broader code-stealing campaign. This sophisticated approach underscores the evolving challenges organizations face in safeguarding user data.
Trends in Cybersecurity Threats
This data breach represents the 15th incident reported in 2023 attributed to ShinyHunters, in conjunction with those cited from the alleged crime group Scattered Lapsus$ Hunters. Other noteworthy victims this year include Beacon Pointe Advisors and Mercer Advisors, both of which were threatened with data leakage.
CarGurus’ Response
In a statement provided to TechCrunch, a CarGurus spokesperson emphasized that the cyber incident had been contained. Maggie Meluzio, the spokesperson, reassured users, stating, “There are no indications that dealer data feeds, APIs, or core systems or products used by our consumers or dealer partners have been compromised. We remain fully operational, and our services continue without interruption.”
CarGurus also indicated that they would notify any affected individuals in compliance with relevant laws, although they did not explicitly confirm the figure of 12.5 million users mentioned by Have I Been Pwned. The relationship between this number and the breach acknowledged by The Register remains uncertain.
Conclusion
As the frequency of data breaches continues to escalate, it’s increasingly important for users to remain vigilant about their personal information. The incident involving CarGurus serves as a crucial reminder about the risks associated with digital platforms and the ongoing threats posed by cybercriminals. Organizations must prioritize cybersecurity protocols to protect sensitive user data from future breaches.
