Notorious cybercrime group ShinyHunters published data online that it claims was obtained in a breach involving the CarGurus automotive marketplace. The group said the dataset includes personal information tied to an estimated 12.4 million records. ShinyHunters made the files available on a public forum for threat actors and researchers to download.
CarGurus did not dispute that a breach had occurred but said it was assessing the scope and impact of the incident. In a statement, company representatives confirmed they were investigating reports of an unauthorised data disclosure and were working with external cybersecurity experts and law enforcement to understand what information may have been accessed. CarGurus said it had not yet determined whether payment card data was affected.
The dataset published by ShinyHunters included tables and fields that the group said were extracted from CarGurus’ systems. According to the group, the records contain names, email addresses, hashed passwords, and other personal details. The files were posted without accompanying ransom demands, and the group offered the data for anyone to download. Independent verification of the data’s authenticity was not available at the time of reporting.
CarGurus said in its statement that it took immediate steps to secure its systems once the issue was identified. The company also said it was notifying individuals whose information might be involved, and that it encourages customers to be vigilant for potential phishing attempts and other scams that could arise from exposed personal data. CarGurus said it had implemented additional monitoring and protective measures as part of its response.
ShinyHunters has been linked to several other high-profile data exposures. Security analysts noted that groups of this type often publish or sell datasets widely to maximise leverage or attention rather than engage directly in ransom negotiations. Analysts also said that even when data is made public without ransom demands, affected organisations face longer-term reputational and operational challenges as they address potential misuse of information.
CarGurus competes in the online car marketplace sector with other services that host vehicle listings and connect buyers with sellers. The company said it would provide updates as its investigation continued and more details about the incident became clear. CarGurus’ full assessment of the data involved was expected to take time as forensic analysis and review of internal systems progressed.