The ShinyHunters extortion group published a 6.1GB archive allegedly containing 12.4 million CarGurus records, exposing emails, IPs, full names, phone numbers, addresses, account IDs, and finance data. Have I Been Pwned added the dataset and noted about 3.7 million records are new, warning that the freely downloadable data could be used for phishing. #ShinyHunters #CarGurus
Keypoints
- ShinyHunters published a 6.1GB archive claiming to contain 12.4 million CarGurus records.
- Have I Been Pwned added the dataset and identified roughly 3.7 million previously unseen records.
- The leak reportedly includes emails, IPs, full names, phone numbers, physical addresses, account IDs, finance application data, dealer details, and subscriptions.
- CarGurus has not issued an official breach statement, and users should expect targeted phishing and scam attempts using the leaked information.
- ShinyHunters commonly uses social engineering (voice phishing) and malicious OAuth apps to gain API-level access to SaaS platforms like Salesforce, Okta, and Microsoft 365.