CarMax (Salesforce) Data Breach

CarMax Data Breach

Status: Confirmed (Partial Sample)

452K Records

Oct 3 Breach

Oct 10 Full Dump

Breach Overview

Actor Scattered LAPSUS$ Hunters

Vector Salesforce Cloud Environment (Credential Compromise)

Date of Breach October 3, 2025

Date of Reporting October 9, 2025

Data Posted Expected October 10, 2025

Records Stolen 451,994 (Partial Dataset)

Data Volume Undisclosed (sample verified)

Summary

In early October 2025, CarMax became one of several high-profile victims of a Salesforce-linked compromise.

A group identifying itself as "Scattered LAPSUS$ Hunters" released a verified sample of 451,994 CarMax customer records on October 3, claiming the full dump would follow on October 10.

The exposed data includes customer contact details, CRM metadata, and marketing consent flags — all consistent with Salesforce lead and account tables.

While no payment information or Social Security Numbers were found in the leaked sample, the dataset is rich in personally identifiable information (PII), including full names, phone numbers, addresses, and account source fields.

Records appear to have been extracted from a Salesforce instance tied to CarMax's web lead system. Evidence suggests the attackers exploited improperly secured API credentials or OAuth tokens, part of a wider 2025 campaign targeting Salesforce tenants across multiple industries.

About CarMax

CarMax is the largest used-car retailer in the United States, operating both physical dealerships and a major online sales platform. The company buys and sells vehicles nationwide and provides financing, extended service plans, and vehicle delivery services.

If you received notice that your information was involved in the CarMax/Salesforce breach but have never purchased a car directly from CarMax, that's understandable. Your data may have been included because:

You interacted with a partner dealership or lender that uses CarMax systems or Salesforce tools connected to its customer database.

You requested a vehicle quote, financing pre-approval, or service plan through a website or marketplace that relies on CarMax or its Salesforce infrastructure.

CarMax's digital operations involve many connected systems (from sales and financing to customer support) which is why even indirect interactions can result in personal information being stored in its databases.

Data Points Exposed

Full Name

Email Address

Mobile & Home Phone Numbers

Mailing Address (Street, City, State, ZIP)

CRM Customer ID (My_KMX_Id)

Account & Lead Source Metadata

Email / SMS Opt-Out Flags

System Metadata (Creation & Modification Dates)

Dark Web Verification

Status: Confirmed (Partial Sample)

Independent researchers verified the data after the group published a preview archive on dark web forums. CarMax-related records were later indexed and anonymized within DataBreach.com's search portal.

Threat Actor: Scattered LAPSUS$ Hunters

Emerged mid-2025 as a splinter from the original LAPSUS$ group.

Focused on exploiting misconfigured SaaS and CRM environments
Known for extortion attempts involving staged "partial leaks" before full dumps

Impact

The CarMax breach underscores how third-party SaaS ecosystems, particularly CRM platforms, can amplify risk through credential reuse and shared integrations.

Potential risks for affected customers include:

Targeted phishing using real CarMax account details

Identity exposure from address and contact leaks

Cross-platform doxing and unwanted contact attempts

Spam or fraudulent calls posing as CarMax representatives

CRM metadata being weaponized for impersonation or scams

Recommendations for Impacted Clients

If you've been notified, or suspect your information may be part of this breach, take the following actions:

Check Your Exposure

If you're an ObscureIQ client, this breach has been added to your active exposure profile. If not, you can request a footprint audit to determine whether your data from this or other Salesforce incidents is circulating online.

Watch for Targeted Phishing

Expect messages or calls using accurate CarMax or vehicle data. Verify communications directly with CarMax via official channels.

Use Multi-Factor Authentication

Enable MFA on all major accounts, especially email and financial logins.

Monitor Financial & Communications Accounts

Check for unusual logins, new accounts, or verification requests.

Mask Your Address

ObscureIQ can suppress your home address and contact details from major data broker databases and search engines.

Harden CRM-Linked Accounts

If you maintain business or affiliate relationships through Salesforce, rotate credentials and review connected app permissions.

Credit

What Is Credit Monitoring? And Do I Want It? (Answer: Not Really)

July 14, 2025

Every time there’s a major data breach, companies scramble to offer “free” credit monitoring. It sounds like a responsible move.…

breach economycredit freezecredit scoreequifaxexperianlifelocktransunionupsell

Credible Threats

Lock Down Browsers. Wipe Employee Footprints. Win Breach Wars.

September 2, 2025

Lock Down Browsers. Wipe Employee Footprints. Win Breach Wars. Over 80% of security incidents now start in the browser. Chrome.…

brave browserbreachesbrowser exploitbrowserschromedata securityemployeesexposurefirefoxfootprintmicrosoft edgemulvad

Analysis

Sextortion Spam

May 10, 2025

Sextortion scams aren’t new, but they remain one of the most effective forms of cyber-enabled fraud. These scams don’t rely…

bitcoindeadlinefeargoogle maps apiransomsocial engineering

Contact ObscureIQ

If you believe your information may be part of this breach, or want confirmation across other datasets, contact ObscureIQ for a free breach impact check.

We use a multi-layered intelligence stack. It combines proprietary dark-web access with commercial and restricted breach datasets to confirm whether your personal or business data is in active circulation.