// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRC-hibpDTG 0600Z
Breach Record

CarMax

DISCLOSED 2026-01-24 · STOLEN CREDS · 431,371 RECORDS EXPOSED

In January 2026, data allegedly sourced from US automotive retailer CarMax was published online following a failed extortion attempt. The data included 431k unique email addresses along with names, phone numbers and physical addresses.

The record

What we know

Disclosed
2026-01-24
Attack vector
Stolen Creds
Records exposed
431,371
Domain
carmax.com
Data classes exposed
Email addressesNamesPhone numbersPhysical addresses
Sources

Cited reporting

Similar vector · recent

Other stolen creds breaches on file

This page is the permanent ColdRecon entry for the CarMax disclosure. It updates if new public reporting emerges. All tracked breaches →

CarMax just lived through this. Your next prospect doesn't have to.

ColdRecon turns every disclosed breach into a daily intelligence brief from the seller's seat — normalized to the factors that move a deal, written in the Handler's voice. Request clearance and the first lands tomorrow at 0600.

Request Clearance →