The ShinyHunters extortion group published a 6.1GB archive on February 21 claiming 12.4 million records stolen from CarGurus, a digital auto platform that operates in the US, Canada and the UK.
KEY FACTS
- Incident ShinyHunters posted a 6.1GB archive on February 21 claiming CarGurus data
- Records 12.4 million records in the archive
- Fresh data A breach listing on Have I Been Pwned added the dataset, with about 70 percent of the records already in its database and roughly 3.7 million appearing to be new
- Compromised data Email addresses, IPs, full names, phone numbers, physical addresses, account IDs and finance and dealer details
CarGurus is a publicly traded automotive research and shopping company that says it helps users find and compare vehicles and contact sellers. The site also operates in multiple countries and draws millions of monthly visitors.
The company has not released an official statement about the published archive.
Compromised data types described in the available dataset include email addresses, IP addresses, full names, phone numbers, physical addresses, user account IDs, finance prequalification and application information, dealer account details and subscription information.
The leaked archive is freely available for download, which increases the risk of targeted phishing and fraud. The ShinyHunters group has recently claimed attacks on several large companies and typically uses social engineering and voice phishing to obtain credentials. Past campaigns also involved tricking employees into installing malicious OAuth applications that grant API level access to customer data in Salesforce instances.
WHY IT MATTERS
The public availability of the dataset raises the risk of phishing and fraud against affected users. People with CarGurus accounts should monitor communications and accounts for suspicious activity.