If you have ever car-shopped online or looked for information on the prices or value of a car, you’ve probably checked out Edmunds.com. Edmunds, headquartered in Santa Monica, California, was acquired by CarMax in 2021.
On or about August 19, 2025, Edmunds learned that a vendor they use for proprietary messaging was the victim of a cyberattack in which the attacker was able to acquire messages containing customer data.
As first reported by ClaimDepot.com, a letter to those affected states:
Although we are not aware of any evidence clearly indicating that any unauthorized party acquired or misused any communications, we identified seventeen messages that may have been accessed which contain a combination of names with Social Security numbers, credit card information and/or driver’s license information, including a message sent by you or someone associated with you. Therefore,
out of an abundance of caution, we are sending you this letter to provide you with information about what happened and the steps that you can take.
Edmunds notified the Montana Attorney General’s Office of the incident on November 14, reporting that one Montanan had been affected. The letter states that messages were acquired from Brown Brothers Automotive in Mesa, AZ. How many other dealerships were affected is unknown at this time, as is the total number of affected consumers. No threat actors have publicly claimed responsibility for any attack on Edmunds.
