CarGurus, a major U.S.-based online automotive marketplace, is reportedly the victim of a large-scale data breach that has exposed the personal information of more than 12.4 million user accounts.

The incident, attributed to the ShinyHunters extortion group, came to light after the threat actors published a 6.1 GB archive of purportedly stolen CarGurus data on February 21. The dataset was subsequently added to the Have I Been Pwned (HIBP) breach database.

Despite the volume of leaked information, CarGurus has not yet formally confirmed the breach or issued an official public statement.

Compromised Data Types

According to Have I Been Pwned’s analysis, the leaked CarGurus dataset includes the following personal data elements:

What Happened

The threat group ShinyHunters, known for targeting large companies and leaking data when extortion demands go unmet, posted a substantial archive claiming to contain CarGurus user account records.

While many records may overlap with previously leaked data, HIBP notes that approximately 3.7 million records appear to be newly compromised.

Once the data was publicly accessible, cybercriminals could use it for a range of malicious activities, including phishing, social engineering, and identity-theft scams.

Threat Actor: ShinyHunters

ShinyHunters is a prolific cybercrime group that has previously claimed responsibility for data leaks involving companies such as Odido, Optimizely, Figure, Canada Goose, Panera Bread, Match Group, and SoundCloud.

Their techniques often involve social engineering to gain access to internal systems or extort organizations into paying for the return (or non-publication) of stolen datasets.

What Users Should Do?

CarGurus users whose data may be part of the breach should take the following precautions:

• Change passwords on their CarGurus accounts and any other accounts where the same password was used.

• Enable multifactor authentication (MFA) wherever possible.

• Remain vigilant for suspicious emails, texts, or calls that might leverage leaked personal data.

• Monitor financial accounts for unauthorized activities.

Taking these steps can help reduce the risk of account compromises and identity fraud following a breach.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.