A significant data breach has impacted CarGurus, a popular online platform for car shopping and research. The hacking group ShinyHunters claims to have exfiltrated approximately 12.4 million user records. This incident raises concerns about the privacy of millions of users who utilize the platform for vehicle searches and financing applications.

Key Takeaways

• A hacking group known as ShinyHunters claims to have leaked 12.4 million records from CarGurus.

• The exposed data includes names, phone numbers, email addresses, physical addresses, and finance pre-qualification details.

• Approximately 3.7 million of these records are believed to be newly exposed.

• CarGurus has acknowledged a cybersecurity incident and is investigating.

Details of the Breach

The breach, allegedly carried out by ShinyHunters, involves a 6.1GB file containing 12.4 million records. The data reportedly includes sensitive information such as email addresses, IP addresses, full names, phone numbers, physical addresses, user account IDs, dealer details, subscription information, and crucially, finance pre-qualification application data and outcomes. While Have I Been Pwned (HIBP) confirms that about 70% of the data had appeared in previous breaches, the approximately 3.7 million new records pose a fresh risk to users.

ShinyHunters' Modus Operandi

ShinyHunters is known for its tactics of data extortion, often leaking company data when ransom negotiations fail. The group typically gains access through social engineering, such as phone calls or fake login pages, to trick employees into revealing credentials. In some instances, they have also convinced employees to install malicious applications that grant them access to customer databases, allowing them to quietly access sensitive information without triggering immediate alarms.

Impact on Users and CarGurus' Response

The exposure of finance pre-qualification data is particularly concerning, as it indicates users were actively sharing financial details. This information can make individuals prime targets for follow-up scams, identity theft, and fraudulent loan offers. Although CarGurus has not issued a comprehensive public statement confirming the breach, a spokesperson acknowledged a cybersecurity incident, stating that the affected environment has been secured and an investigation is underway with a cybersecurity firm. They believe the activity has been contained and limited in scope, with no indications that core systems or products have been compromised. CarGurus has committed to notifying affected individuals in accordance with applicable laws.

Protecting Yourself

Users are advised to take immediate steps to mitigate potential risks:

1. Check for Compromised Information: Visit Have I Been Pwned to see if your email address is included in the leak.

2. Change Passwords: Update passwords for your CarGurus account and other critical online accounts, using strong, unique passwords and a password manager.

3. Enable Two-Factor Authentication (2FA): Activate 2FA on all accounts that offer it for an extra layer of security.

4. Be Wary of Phishing Scams: Exercise caution with unsolicited emails or messages, especially those related to car financing or dealership follow-ups. Do not click on suspicious links.

5. Monitor Financial Accounts and Credit Reports: Keep a close eye on bank statements and credit reports for any unusual activity or inquiries.

6. Consider Data Removal Services: Services exist that can help remove personal information from data broker websites, reducing your online exposure.

   By staying vigilant and adopting safe browsing practices, users can significantly reduce their exposure to these evolving threats. As cyber threats continue to evolve, your security strategy needs to evolve with them. BetterWorld Technology delivers adaptive cybersecurity solutions designed to keep your business secure while supporting innovation. Connect with us today to schedule a personalized consultation.

   
   

Sources

• CarGurus data breach exposes 12.4 million user records online in hack, Fox News.

• CarGurus breach linked to ShinyHunters exposes 12.4M records, Kurt the CyberGuy.

• CarGurus data breach exposes information of 12.4 million accounts, BleepingComputer.