CarMax Data Breach

23/01/2026 · 431,371 records · moderate risk

0 /100

Gravity Score

Moderate

Calculated based on the types of data exposed (4 categories) and the volume of affected records (431,371).

Data alleged to come from CarMax was posted online after an unsuccessful extortion attempt. The release appears to be primarily customer contact information.

It included 431,000 unique email addresses along with names, phone numbers, and physical addresses. The published set did not indicate the presence of passwords or full payment card details.

Exposed data

Email addresses Names Phone numbers Physical addresses

What to do based on this breach

Watch for car sale scams and “reservation fee” requests that use your name, phone number, and address to appear legitimate

Enable login and recovery alerts on your email provider to reduce the risk of social engineering takeovers

Opt out of marketing and request removal if you receive unsolicited outreach that references CarMax

Document and report any fraudulent delivery or pickup attempts at your address where someone may be impersonating you

What can we learn from this breach?

Address and contact details enable impersonation and phone based scams that can spill into real world safety concerns. The lesson is to treat contact data as high risk personal data, restrict exports and access, and put safeguards in place so full customer lists cannot be easily copied and released.

Was your data exposed?

Check now if your email appears in this breach. It's free, takes 30 seconds and requires no signup.

Check my email

Related breaches

Canadian Tire

01/10/2025 38,306,562 records high risk

4 data types in common

CarGurus

13/02/2026 12,461,887 records moderate risk

4 data types in common

← All breaches