A hacking group known as ShinyHunters has published a 6.1GB file containing 12.4 million user records allegedly taken from CarGurus, a major U.S.-based auto shopping platform. The dataset includes names, email addresses, phone numbers, physical addresses, and finance pre-qualification details.
Approximately 3.7 million of the records are newly exposed, according to Have I Been Pwned, which has added the breach to its database. The rest had appeared in previous incidents. CarGurus has not issued a public confirmation but told CyberGuy it experienced a cybersecurity incident, has secured the affected environment, and is working with a cybersecurity firm to investigate.
ShinyHunters typically uses social engineering tactics-such as phishing calls or fake login pages-to obtain employee credentials and access cloud-stored customer data. If verified, this breach gives criminals access to sensitive personal and financial profiles, increasing risks for phishing, identity theft, and fraudulent loan offers.
Security experts warn users to change passwords, enable two-factor authentication, monitor credit reports, and consider identity theft protection. CarGurus says its core systems, APIs, and dealer services remain uncompromised and operational.