CarGurus data breach affects 12.5 million accounts

Car marketplace CarGurus was the target of a data breach in which the names, email addresses, phone numbers and physical addresses of millions of customers were stolen.

Have I Been Pwned, a data breach media site presented by security researcher Troy Hunt, reported that 12.5 million CarGurus accounts were compromised in the data breach.

CarGurus, founded in 2006, operates an online marketplace that allows customers to buy, sell and finance vehicle purchases.

The Have I Been Pwned website attributed the hack to the hacking group ShinyHunters.

The ShinyHunters group is known for their social engineering skills, such as calling help desks and pretending to be employees who need their password reset. Hackers used their social engineering skills to steal large amounts of data from several universities and more than a billion records from Salesforce customers, including Google and Workday, claiming recent breaches at Pornhub and fintech lending giant Figure.

TechCrunch has reached out to CarGurus for comment and will update this article if the company responds.

The customer data released included user account ID mappings, financing pre-qualification order data, and dealer account and subscription information, according to Have I Been Pwned.

This is the second car-related data breach reported by Have I Been Pwned this year. Last month, data allegedly from CarMax was made public after a failed extortion attempt, the data breach notification website reported. The data breach involved approximately 431,000 unique email addresses along with names, phone numbers and physical addresses.