Overview
- The extortion group released a 6.1GB archive on February 21 claiming it contains CarGurus user and dealer data.
- Have I Been Pwned listed the leak on February 22 and found roughly 70% overlapped prior breaches, leaving about 3.7 million fresh records.
- Exposed fields reportedly include names, email and physical addresses, phone numbers, IP addresses, user account IDs, finance application details and outcomes, and dealer and subscription information.
- CarGurus has not confirmed a breach or responded to media inquiries, according to the latest reporting.
- Security observers warn the publicly available data raises phishing and fraud risks, with ShinyHunters linked to recent social engineering intrusions.