More than 12 million users of CarGurus, a popular automotive research and shopping site, have been impacted by a significant data breach. This incident came to light last week when ShinyHunters, a notorious extortion group, added CarGurus to its leak site on the Tor network. The group claims to have stolen both personally identifiable information (PII) and internal corporate data from the company.
Details of the Breach
Initially, the cybercriminals claimed to have accessed 1.7 million records from CarGurus. However, they have since leaked a 6.1GB archive containing data from approximately 12.5 million accounts. The compromised information includes names, addresses, email addresses, phone numbers, and IP addresses, according to the data breach notification website Have I Been Pwned.
The breach notification service further elaborated that the exposed data includes over 12 million email addresses, user account ID mappings, finance pre-qualification application data, and dealer account and subscription information. Have I Been Pwned also noted in a post on X that about 70% of these email addresses had been compromised in previous data breaches.
CarGurus’ Response and Security Concerns
As of now, CarGurus has not made any public statements acknowledging the breach. SecurityWeek has reached out to the company for comments regarding the claims made by ShinyHunters and will provide updates if a response is received.
The precise method of data theft remains unclear, but ShinyHunters is known for conducting sophisticated voice phishing, or ‘vishing,’ attacks. These attacks have previously compromised several organizations, highlighting the persistent risk posed by such cybercriminal activities.
Broader Implications and Related Incidents
The ShinyHunters group has been linked to numerous recent phishing campaigns targeting over 100 organizations. Some of the affected companies include Optimizely, Figure, Panera Bread, and Crunchbase. Such incidents underscore the increasing prevalence and impact of data breaches in today’s digital landscape.
Related cases have seen other major brands like Dior, Louis Vuitton, and Tiffany being fined $25 million in South Korea following data breaches. Additionally, breaches have affected 626,000 individuals at ApolloMD and 750,000 at a Canadian investment watchdog. These events serve as a stark reminder of the importance of robust cybersecurity measures.
With data breaches becoming more frequent, it is crucial for both organizations and individuals to stay vigilant and adopt comprehensive security practices to protect sensitive information.
