Automotive marketplace CarGurus experienced a data breach that resulted in the theft of customer information. The compromised data includes names, email addresses, phone numbers, and physical addresses for millions of customers.
According to the data notification site Have I Been Pwned, operated by security researcher Troy Hunt, approximately 12.5 million CarGurus accounts were affected. CarGurus, founded in 2006, operates an online platform where customers can buy, sell, and finance vehicles.
Have I Been Pwned attributes this breach to the ShinyHunters hacking group. This group is known for sophisticated social engineering tactics, such as impersonating employees to trick helpdesks into resetting passwords. The hackers have used these methods to steal large volumes of data from various organizations.
Their previous targets include several universities, over a billion records from Salesforce customers including Google and Workday, and they have claimed recent hacks at Pornhub and fintech lending giant Figure.
The published customer data from CarGurus included user account ID mappings, finance pre-qualification application data, and dealer account and subscription information.
This marks the second automotive-related data breach reported by Have I Been Pwned this year. Last month, data allegedly from CarMax was published following a failed extortion attempt. That breach included about 431,000 unique email addresses along with names, phone numbers, and physical addresses.