CarMax Data Breach

January 23, 2026 · 431,371 records · moderate risk

0 /100

Gravity Score

Low

Calculated based on the types of data exposed (4 categories) and the volume of affected records (431,371).

In January 2026, data allegedly sourced from US automotive retailer CarMax was published online following a failed extortion attempt. The data included 431k unique email addresses along with names, phone numbers and physical addresses.

Exposed data

Email addresses Names Phone numbers Physical addresses

Affected website

carmax.com

What to do now

🛡️Enable two-factor authentication (2FA) on all accounts that support it 📱Watch out for phishing attempts via SMS and suspicious calls ⚠️Be wary of contacts using your personal details to build trust (social engineering) 📧Stay alert for phishing emails that may look legitimate using information from this breach 🔍Use a password manager to create unique, strong passwords for every service

What can we learn from this breach?

Breaches like this offer valuable lessons for the entire industry. Some security practices that help protect data at scale include: encrypting sensitive personal data at rest with properly managed encryption keys; segmenting and isolating databases so that a single breach doesn't expose all records; conducting regular security audits and penetration testing; implementing real-time intrusion detection and incident response plans. Information security is an ongoing process, and each incident reinforces the importance of investing in data protection.

Was your data exposed?

Check now if your email appears in this breach. It's free, takes 30 seconds and requires no signup.

Check my email

Related breaches

Canadian Tire

Oct 1, 2025 38,306,562 records high risk

4 data types in common

CarGurus

Feb 13, 2026 12,461,887 records moderate risk

4 data types in common

← All breaches