Online vehicle marketplace CarGurus $CARG ( ▼ 0.32% ), has launched an investigation into a cybersecurity incident the company experienced earlier this month, the company confirmed to CDG News.
The details: Troy Hunt, an Australian web security consultant for Microsoft and creator of Have I Been Pwned, recently published data showing that personally identifiable information, or PII (including names, physical addresses, and more than 12 million email addresses), has been compromised in a breach attributed to the threat actor ShinyHunters.
Allegedly, the infamous black-hat collective posted a statement on its data leak site, warning CarGurus to act quickly or risk seeing sensitive data dumped on the dark web.
The group claims to have stolen PII and “other internal corporate data,” totaling roughly 1.7 million records, according to a report from TechRadar.
According to ShinyHunters, the breach occurred on February 13 and was part of a broader code-stealing spree in which they used phishing strategies to obtain single-sign-on codes from users of Okta, Microsoft, and Google services.
How it happened: The attack was allegedly carried out through “vishing” attempts, also known as voice phishing, where scammers use phone calls (often VoIP) to impersonate trusted entities like banks, government agencies, or tech support, and then talk their way into sensitive systems and data.
If the group is actually responsible, this incident caps a string of 15 breaches claimed by ShinyHunters and Scattered Lapsus$ Hunters since the beginning of the year, including two investment advisory firms, Mercer Advisors and Beacon Pointe Advisors, listed in a recent report from The Register.
Yes but, when CDG News reached out to CarGurus for comment, a spokesperson for the company provided the following statement:
“We recently experienced a cybersecurity incident; we secured the affected environment and launched an investigation with the assistance of a leading independent cybersecurity firm. Based on our investigation to date, the activity has been contained and limited in scope.”
“At this time, it doesn’t appear that the incident involved a broad set of highly sensitive data; however, our investigation remains ongoing. Also, at this time, there are no indications that dealer data feeds, APIs, or core systems used by our dealer partners have been compromised. We remain fully operational, and our services continue without interruption.”
Why it matters: Organized cybercrime rings are more prolific (and more targeted) than ever, increasingly going after platforms that sit at the center of consumer and dealer data flows.
Bottom line: Expect more of these attacks, not fewer, as threat actors lean into social engineering and voice phishing to get around technical controls.
This is a developing story. We will update the story as more information becomes available.
OUTSMART THE CAR MARKET IN 5 MINUTES A WEEK
Get insights trusted by 55,000+ car dealers. Free, fast, and built for automotive leaders.
A quick word from our partner
If you’re looking to sell your dealership, be sure to put Tim Lamb Group on top of your contact list.
Since 2006, Tim Lamb Group has earned the trust of dealers throughout the U.S. and Canada with a well-founded reputation of delivering results. Sell your dealership now by leveraging our unmatched OEM experience, retail background and 20 years of auto dealership sales, mergers and acquisitions.
