Cybersecurity and Data Breaches

A hacking group known as ShinyHunters has published a 6.1GB dataset it claims was taken from CarGurus, the U.S.-based auto shopping site that attracts about 40 million monthly visitors, allegedly exposing 12.4 million user records. Security site Have I Been Pwned, which has added the data to its breach database, says the information includes names, email and physical addresses, phone numbers, IP addresses, account IDs, dealer and subscription details, and finance pre‑qualification application data and outcomes, with roughly 3.7 million records not seen in prior leaks. ShinyHunters, which has a track record of leaking company data after failed ransom talks, is believed to have obtained access through social‑engineering attacks on employees rather than direct technical exploits. CarGurus, in a statement to the outlet, acknowledged a recent 'cybersecurity incident,' said it had contained the activity and was working with a leading cybersecurity firm, and claimed there is no indication core systems or dealer data feeds were affected, though it has not publicly confirmed the full scope or authenticity of the leaked dataset. Cybersecurity researchers warn that if the data is genuine, the combination of personal identifiers and financing‑related information could fuel targeted phishing, fake loan offers and identity‑theft attempts against U.S. consumers who used the platform for car searches or pre‑qualification.