Breach Database / CarMax
Yes — CarMax was breached.
- 431,371 accounts affected
- Breach occurred 2026-01-24 · carmax.com
- Verified entry in the Have I Been Pwned catalog
What happened
In January 2026, data allegedly sourced from US automotive retailer CarMax was published online following a failed extortion attempt. The data included 431k unique email addresses along with names, phone numbers and physical addresses.
What data was exposed
- Email addresses
- Names
- Phone numbers
- Physical addresses
What to do right now
- Be alert for smishing and SIM-swap attempts. Treat unexpected texts and "carrier" calls with suspicion; add a PIN/port-freeze with your mobile carrier.
- Watch for targeted phishing mail. A leaked home address makes postal and doorstep scams more convincing.
- Expect convincing phishing emails. Attackers use breached details to write personalized emails. Be suspicious of any message referencing this service.
- Check your other accounts on Have I Been Pwned. Your email address may appear in other breaches you don't know about yet.
- Monitor the apps you use going forward. Clearly watches the breach record for the companies behind your apps and alerts you the moment one appears.
Breach data from Have I Been Pwned. Listing here means the service appears in the public breach record — not that your personal data was affected.