On August 19, 2025, Edmunds.com suffered a data breach involving its proprietary messaging tool used by automobile dealers and customers. The breach, detected by a third-party vendor, exposed seventeen text messages containing personally identifiable information (PII), including names, Social Security numbers, credit card details, and driver’s license information. The compromised data belonged to individuals engaged in vehicle purchase communications, posing risks of identity theft and financial fraud. While the breach was limited in volume, the sensitivity of the exposed data particularly SSNs and financial records heightens the potential for severe consequences, including unauthorized account access, credit fraud, and long-term identity exploitation. Edmunds responded by offering 24 months of credit monitoring, dark web surveillance, $1M identity theft insurance, and recovery services to affected individuals. The delayed disclosure (reported to authorities on November 14, 2025) and the nature of the stolen data underscore significant reputational and financial risks for both the company and its customers.
Source: https://www.claimdepot.com/data-breach/edmunds-2025
Edmunds cybersecurity rating report: https://www.rankiteo.com/company/edmunds-com
"id": "EDM2371423112725",
"linkid": "edmunds-com",
"type": "Breach",
"date": "8/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Automotive (Online Car Shopping & '
'Information)',
'location': 'United States',
'name': 'Edmunds.com',
'type': 'Company'}],
'customer_advisories': ['Consumer notice with guidance on fraud protection '
'measures.',
'Encouragement to enroll in IDX services by Jan. 31, '
'2026.'],
'data_breach': {'file_types_exposed': ['text messages'],
'number_of_records_exposed': 17,
'personally_identifiable_information': ['names',
'Social Security '
'numbers',
'credit card '
'information',
'driver’s license '
'information'],
'sensitivity_of_data': 'High (includes SSNs, credit card '
'info, driver’s license info)',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'mobile text messages']},
'date_detected': '2025-08-19',
'date_publicly_disclosed': '2025-11-14',
'description': 'On Aug. 19, 2025, Edmunds.com experienced a data breach '
'involving its proprietary messaging tool used by automobile '
'dealers and potential customers. Unauthorized activity was '
'detected by a vendor operating systems supporting this tool, '
'leading to the potential exposure of 17 text messages '
'containing personally identifiable information (PII) such as '
'names, Social Security numbers, credit card information, and '
'driver’s license information. The breach was disclosed to '
'state authorities on Nov. 14, 2025.',
'impact': {'brand_reputation_impact': 'Potential negative impact due to '
'exposure of sensitive customer data',
'data_compromised': ['names',
'Social Security numbers',
'credit card information',
'driver’s license information'],
'identity_theft_risk': 'High (PII including SSNs and credit card '
'data exposed)',
'payment_information_risk': 'High (credit card information '
'exposed)',
'systems_affected': ['proprietary messaging tool']},
'initial_access_broker': {'high_value_targets': ['proprietary messaging tool '
'storing PII']},
'investigation_status': 'Disclosed; ongoing remediation (credit monitoring '
'services offered)',
'post_incident_analysis': {'corrective_actions': ['Offered 24 months of '
'credit monitoring and '
'identity protection '
'services to affected '
'individuals']},
'recommendations': ['Affected individuals should enroll in complimentary '
'credit monitoring and identity protection services by '
'Jan. 31, 2026.',
'Regularly review credit reports, financial accounts, and '
'insurance statements for suspicious activity.',
'Promptly report signs of fraud to financial institutions '
'or law enforcement.',
'Consider placing fraud alerts or security freezes on '
'credit files.'],
'references': [{'source': 'Montana Attorney General Notice'}],
'regulatory_compliance': {'regulatory_notifications': ['Montana Attorney '
'General (notice '
'filed)']},
'response': {'communication_strategy': ['Consumer notice with guidance on '
'fraud alerts, security freezes, and '
'accessing free credit reports; '
'encouragement to enroll in '
'protection services by Jan. 31, '
'2026'],
'incident_response_plan_activated': True,
'remediation_measures': ['Arranged 24 months of complimentary '
'credit monitoring and identity '
'protection services for affected '
'individuals'],
'third_party_assistance': ['IDX (for credit monitoring and '
'identity protection services)']},
'title': 'Edmunds.com Data Breach Involving Proprietary Messaging Tool',
'type': 'Data Breach'}