If you’ve ever looked for a vehicle on CarGurus, there’s a chance your personal info might be floating around online. A hacking group, ShinyHunters, claims to have leaked 12.4 million records linked to CarGurus, a widely-used vehicle shopping site that attracts millions of visitors monthly.
The leaked data encompasses names, phone numbers, email addresses, physical addresses, and even some financial pre-qualification details. While many of these records had appeared in previous breaches, roughly 3.7 million are new. This new information could easily be downloaded by criminals.
What to Know About the CarGurus Breach
On February 21, ShinyHunters distributed a 6.1 GB file, alleging it was from CarGurus. The file reportedly contains 12.4 million user records associated with this popular automotive platform.
CarGurus operates in the U.S., Canada, and the U.K., drawing around 40 million visitors every month. The site allows users to compare vehicles and connect with sellers, among other features.
The breach was logged by Have I Been Pwned, which has integrated this dataset into its breach database. The leaked information includes things like email addresses, full names, phone numbers, and financial pre-qualification results. Notably, about 70% had already been revealed in earlier breaches, but around 3.7 million records are newly exposed. CarGurus hasn’t yet acknowledged the breach publicly nor responded to media inquiries. ShinyHunters is known for leaking data when ransom talks fail, with recent claims against major companies across various sectors.
Why This Matters
ShinyHunters typically gains access by tricking employees rather than hacking through firewalls. In past events, the group used tactics like phone calls and fake login pages to obtain staff credentials. Once they have these, they can enter cloud systems storing sensitive information without alarming anyone.
Some methods have included convincing employees to install malicious applications, giving them secret access to customer databases. If this latest dataset is legitimate, it could detail car purchasing habits and financing applications—valuable information for criminals.
The pre-qualification data is particularly concerning. Even without a full social security number, it still indicates that a person shared financial information. This makes it attractive for scams, identity theft, and fraudulent loan offers. The public availability of this data means even less-skilled criminals could exploit it.
A spokesperson from CarGurus has acknowledged a recent cybersecurity incident, stating they acted promptly to secure affected areas and are now collaborating with a top cybersecurity firm for an investigation. So far, they believe the breach’s impact is limited, assuring that core systems remain secure and operational.
How to Protect Yourself From a CarGurus Breach
Here are some steps you can take now to lower your risk of becoming a victim of fraud related to this breach.
1) Check if Your Email and Password Were Compromised
To see if your email is among those affected, visit Have I Been Pwned and enter your email address. Once you check, move on to the next step.
2) Change Your Passwords Immediately
Start with your crucial accounts—email, banking, medical—using strong, unique passwords that mix letters, numbers, and symbols. Avoid easily guessable information like birthdays. A password manager can help keep these strong passwords safe and manageable.
3) Limit Your Online Exposure
Consider using a data deletion service, which actively monitors and removes personal information from various sites. While complete removal isn’t guaranteed, reducing what’s out there can lower your risk of becoming a target.
4) Enable Two-Factor Authentication
If available on CarGurus or your email provider, enable two-factor authentication (2FA), adding an extra layer of security to your accounts.
5) Be Aware of Phishing Scams
Stay cautious of emails and text messages related to loans or dealer communications. Avoid clicking any suspicious links. Always double-check by contacting companies directly using verified information.
6) Monitor Your Credit Report
Keep an eye on your credit report for any unfamiliar inquiries or new accounts. Early detection can halt identity theft in its tracks. If something seems off, consider freezing your credit.
7) Consider Identity Theft Protection
Utilizing identity theft protection services can help monitor unusual activity linked to your name, social security number, and financial accounts. These services provide alerts if there are attempts to misuse your information.
Conclusion
This incident underscores a more extensive issue that affects not only one company. When platforms collect sensitive financial and personal data, they become attractive targets. If this data leak is valid, many individuals simply looking to purchase vehicles might now face fraud risks. CarGurus hasn’t publicly confirmed the breach, creating uncertainty. Should companies be required to announce such breaches within a specific timeframe?
