Automotive marketplace CarGurus has suffered a data breach that exposed the personal information of millions of customers, in what security researchers describe as one of the largest automotive related cyber incidents this year. The breach reportedly involved the theft of names, email addresses, phone numbers, and physical addresses belonging to users of the platform.
The disclosure was flagged by Have I Been Pwned, a breach notification website operated by security researcher Troy Hunt, which said that approximately 12.5 million CarGurus accounts were compromised. The site attributed the intrusion to the hacking collective ShinyHunters, a group known for high profile data thefts and sophisticated social engineering tactics.
CarGurus, founded in 2006, operates an online marketplace that enables users to buy, sell, and finance vehicles. According to details published by Have I Been Pwned, the exposed data includes user account identification mappings, finance pre qualification application information, and dealer account and subscription records. Such data sets, analysts warn, could be used for identity fraud or targeted phishing campaigns if weaponised by malicious actors.
ShinyHunters has built a reputation for exploiting human vulnerabilities rather than purely technical flaws. The group has previously impersonated employees in calls to corporate helpdesks to obtain password resets, a tactic that has enabled breaches affecting universities and major technology platforms. It has also claimed responsibility for high profile incidents involving global firms across sectors, underscoring the persistent threat posed by socially engineered intrusions.
The CarGurus incident marks the second automotive related breach highlighted this year by Have I Been Pwned. Last month, data allegedly linked to CarMax surfaced online following a failed extortion attempt, exposing approximately 431,000 unique email addresses alongside names, phone numbers, and physical addresses. CarGurus had yet to publicly comment on the breach at the time of reporting, as cybersecurity concerns continue to ripple across consumer facing digital marketplaces.