ShellCodeX
Tools โ€ข Events โ€ข News โ€ข Insights
ShellCodeX Breach Report

CarMax Data Breach

carmax.com
Limited exposure
Verified breach
Accounts exposed 431,371
Breach date 24 Jan 2026
Added to tracker 20 Feb 2026
Data classes 4

What happened

In January 2026, data allegedly sourced from US automotive retailer CarMax was published online following a failed extortion attempt. The data included 431k unique email addresses along with names, phone numbers and physical addresses.

Exposed data

Email addresses Names Phone numbers Physical addresses

Recommended actions

  • Watch for targeted phishing emails referencing CarMax โ€” attackers weaponise breach data quickly.
  • Stay alert for smishing (SMS phishing) and SIM-swap attempts using your phone number.
  • Exposed identity data raises identity-theft risk โ€” consider credit monitoring or a credit freeze.
  • Check whether your email address appears in this breach on haveibeenpwned.com.
Am I affected? Check whether your email address appears in this breach.
Check on HIBP