CarGurus users are at risk after the ShinyHunters hacking group leaked 12.4 million records, including sensitive personal and financial information.
CarGurus users are facing significant security risks following a data breach linked to the ShinyHunters hacking group, which has allegedly leaked 12.4 million records. This incident raises concerns about the safety of personal information for millions of individuals who utilize the popular auto shopping platform each month.
The leaked data reportedly includes a variety of sensitive information, such as names, phone numbers, email addresses, physical addresses, and finance pre-qualification details. While a majority of the records had been exposed in previous incidents, approximately 3.7 million records are newly added, making this data particularly concerning for users.
The ShinyHunters group published a 6.1GB file on February 21, claiming it contained user records from CarGurus, which operates not only in the United States but also in Canada and the United Kingdom. The platform attracts around 40 million visitors monthly, allowing users to compare vehicles, contact sellers, and apply for financing.
According to Have I Been Pwned, a website that tracks data breaches, the exposed information encompasses email addresses, IP addresses, full names, phone numbers, physical addresses, account IDs, dealer details, subscription information, and finance pre-qualification application data, along with their outcomes. Notably, about 70% of the data had previously appeared in other breaches, while the remaining 3.7 million records are new.
As of now, CarGurus has not issued an official statement confirming the breach and has not responded to media inquiries regarding the incident. ShinyHunters is notorious for leaking company data when ransom negotiations fail and has recently targeted major brands across various sectors, including telecom, retail, finance, and technology.
The group typically gains access to sensitive data through social engineering tactics rather than directly breaching firewalls. In past incidents, they have used phone calls or fake login pages to trick employees into providing credentials. Once inside, attackers can quietly access cloud systems that house customer data. In some cases, they have even convinced employees to install malicious applications that grant access to customer databases without triggering alarms.
If the dataset is legitimate, criminals now have access to detailed personal profiles linked to car shopping and financing activities, which can be highly valuable. The finance pre-qualification data is particularly sensitive, as it indicates that individuals were sharing financial details, making them prime targets for scams, identity theft attempts, and fraudulent loan offers.
A spokesperson for CarGurus acknowledged a cybersecurity incident, stating, “We promptly responded by securing the affected environment, and we are currently working with a leading cybersecurity firm to investigate. Based on the investigation to date, we believe the activity has been contained and limited in scope. Also, at this time, there are no indications that dealer data feeds, APIs, or core systems or products used by our consumers or dealer partners have been compromised. We remain fully operational, and our services continue without interruption. We will notify any affected individuals in accordance with applicable laws.”
In light of this breach, users are advised to take immediate steps to mitigate their risk. One recommended action is to check if your email address has been affected by visiting Have I Been Pwned. Users can enter their email address to determine if their information appears in the CarGurus leak.
It is also essential to secure important accounts, such as email, medical, and banking, by using strong, unique passwords that combine letters, numbers, and symbols. Avoid predictable choices like names or birthdays, and never reuse passwords across multiple accounts. A password manager can simplify this process by securely storing complex passwords and generating new ones as needed.
Additionally, consider utilizing a personal data removal service. While no service can guarantee complete removal of personal data from the internet, these services actively monitor and erase personal information from various websites, reducing the risk of scammers cross-referencing data from breaches with information available on the dark web.
If CarGurus or your email provider offers two-factor authentication (2FA), enabling it adds an extra layer of security, making it more challenging for unauthorized individuals to access your accounts even if they have your password.
Users should exercise caution with emails or texts related to car loans, financing approvals, or dealership follow-ups. It is advisable not to click on links in unsolicited messages and instead contact the company directly using official contact details found on their website. Strong antivirus software can also help block malicious links and downloads that may accompany phishing campaigns.
For those who applied for financing, monitoring credit reports for unfamiliar inquiries or new accounts is crucial. Early detection can help prevent identity theft from escalating. If suspicious activity is detected, consider placing a credit freeze to safeguard personal information.
Identity theft protection services can also monitor unusual activity linked to your name, Social Security number, or financial accounts, alerting you promptly if someone attempts to open a new credit card in your name.
This incident underscores a broader issue concerning the security of personal and financial data collected by companies. If the leaked dataset is authentic, millions of individuals who were simply shopping for a car now face an increased risk of scams. CarGurus has yet to publicly confirm the breach, leaving customers in a state of uncertainty regarding the potential exposure of their sensitive financial application data.
As discussions around data security continue, the question arises: should companies that collect financing data be required to publicly confirm or deny breaches within a specific timeframe? This incident highlights the need for transparency in the handling of sensitive information.
For further information and tips on protecting your data, visit CyberGuy.