Industry — Data Breach
Executive Summary
Data breach reported by HIBP — CarMax - 431,371 breached accounts: In January 2026, data allegedly sourced from US automotive retailer CarMax was published online following a failed extortion attempt . The data included 431k unique email addresses along with names, phone numbers and physical addresses.
What Happened
In January 2026, data allegedly obtained from US automotive retailer CarMax was published online after an extortion attempt failed. The published data included 431,371 unique email addresses along with associated names, phone numbers, and physical addresses.
Who Is Affected
Approximately 431,000 individuals whose email addresses were in the CarMax dataset are affected. These individuals also had their names, phone numbers, and physical addresses exposed in the breach.
Why It Matters
This breach exposes a significant amount of personal contact information that can be used for identity theft, phishing attacks, or physical mail fraud. The combination of email addresses, phone numbers, and physical addresses creates multiple vectors for attackers to target affected individuals.
What You Should Do
If you have an account with CarMax or have provided them your contact information, monitor your email and phone for phishing attempts or suspicious communications. Be cautious of unsolicited contacts referencing your CarMax activity, and consider placing fraud alerts on your credit reports if you are concerned about identity theft.
AI-Assisted
Event summaries are generated by Claude AI from verified sources and reviewed by humans before publication.