CarGurus data breach impacts 12.5 million user accounts
CarGurus confirms a data breach affecting 12.5 million accounts, raising concerns about customer information security and protections for online marketplaces.
Automotive marketplace CarGurus has suffered a data breach that exposed the personal information of millions of customers, including names, email addresses, phone numbers, and physical addresses.
Have I Been Pwned, the breach-notification service run by security researcher Troy Hunt, reported that 12.5 million CarGurus accounts were affected in the incident.
Founded in 2006, CarGurus operates an online marketplace where users can buy, sell, and finance vehicle purchases.
Have I Been Pwned attributed the breach to the hacking group ShinyHunters.
ShinyHunters is widely known for social engineering tactics, including calling company help desks and posing as employees to convince staff to reset passwords. The group has used these techniques to steal large amounts of data from several universities and to obtain more than a billion records from Salesforce customers, including Google and Workday. The hackers have also claimed more recent breaches involving Pornhub and fintech lending firm Figure.
CarGurus spokesperson Maggie Meluzio confirmed the company experienced a cybersecurity incident and said the situation is now contained.
“There are no indications that dealer data feeds, APIs, or core systems or products used by our consumers or dealer partners have been compromised. We remain fully operational, and our services continue without interruption. We will notify any affected individuals in accordance with applicable laws,” Meluzio said.
CarGurus did not dispute the 12.5 million figure shared by Have I Been Pwned.
According to Have I Been Pwned, the published data included user account ID mappings, finance prequalification application data, and dealer account and subscription details.
This marks the second automotive-related data breach reported by Have I Been Pwned this year. Last month, the site reported that data allegedly tied to CarMax was released after an extortion attempt failed. That breach included about 431,000 unique email addresses, along with names, phone numbers, and physical addresses.
What's Your Reaction?
Like
0
Dislike
0
Love
0
Funny
0
Angry
0
Sad
0
Wow
0
