Automotive marketplace CarGurus was targeted in a data breach that stole the names, email addresses, phone numbers, and addresses of millions of customers.
Have I Been Pwned, a data notification site provider by security researcher Troy Hunt, reported that 12.5 million CarGurus accounts were compromised in the data breach.
Founded in 2006, CarGurus operates an online marketplace where customers can buy, sell, and finance their purchases.
Have I Been Pwned attributes this breach to the ShinyHunters hacking group.
The ShinyHunters group is known for their social engineering skills, including calling help desks and pretending to be employees who need password resets. Hackers used their social engineering skills to steal large amounts of data from several universities, over a billion records from Salesforce customers including Google and Workday, and claimed recent hacks of Pornhub and fintech lending giant Figure.
TechCrunch has reached out to CarGurus for comment and will update this article if the company responds.
According to Have I Been Pwned, the exposed customer data included user account ID mapping, financial pre-qualification application data, and dealer account and subscription information.
This is the second automotive data breach reported by Have I Been Pwned this year. Data breach notification sites reported last month that data purported to be from CarMax was made public after an extortion attempt. The data breach included approximately 431,000 unique email addresses, along with names, phone numbers, and addresses.
