Bleeping Computer reported Tuesday (Feb. 24) that an extortion group called ShinyHunters claimed Saturday (Feb. 21) that it had 12.4 million records from CarGurus. The group later published the data, according to the report.
TechCrunch also reported Tuesday that CarGurus was the target of a data breach led by ShinyHunters. This report put the number of stolen records at 12.5 million and cited a post by data breach notification site Have I Been Pwned.
The Have I Been Pwned post said the data compromised in the incident includes names, physical addresses, email addresses, IP addresses and phone numbers.
CarGurus did not immediately reply to PYMNTS’ request for comment.
ShinyHunters was implicated in a data breach reported in August by Google. The tech giant said at the time that ShinyHunters had breached one of its Salesforce database systems used to house contact information and related notes for small and medium-sized businesses.
The Google Threat Intelligence Group said it suspected the hackers could be planning to “escalate their extortion tactics” by initiating a data leak site and that these tactics “are likely intended to increase pressure on victims.”
The PYMNTS Intelligence report “Vendors and Vulnerabilities: The Cyberattack Squeeze on Mid-Market Firms” found that this security breach was a textbook case of social engineering. ShinyHunters contacted Google employees by phone and tricked them into granting access to a malicious app within a third-party platform used by the company.
The reported data breach at CarGurus follows reports of other breaches with different causes.
A data breach at Conduent Business Services, an operator of back-end systems for state governments, affected more than 25 million people across the country, according to a post from a Wisconsin state agency. Conduent said in a notice of data incident on its own website that “we were the victim of a cyber incident.”
In another, separate incident, PayPal notified about 100 customers of PayPal Working Capital (PPWC) that their personally identifiable information (PII) was exposed to unauthorized individuals over a five-month period due to an error in its PPWC loan application.
