What Happened
In January 2026, US automotive retailer CarMax (carmax.com) suffered a data breach when hackers, after a failed extortion attempt, published stolen data online, affecting 431,400 unique accounts. The exposed information included email addresses, names, phone numbers, and physical addresses. The breach was publicly detailed around January 23-24, 2026, and added to tracking sites like Have I Been Pwned on February 20, 2026. Note that earlier incidents in October 2025 involved a separate 1.7GB leak linked to a Salesforce compromise by “ScatteredLAPSUSHunters,” but they do not match the queried 2026 event.
