Canadian Tire E-commerce Database Breach Exposes Data for Over 38 Million Accounts
Canadian Tire Corporation disclosed a major breach of its e-commerce customer database after identifying unauthorized access on October 2, 2025, exposing personal data tied to 38+ million customer accounts. Exposed data included names, physical addresses, email addresses, year of birth (and for <150,000 accounts, full dates of birth), and encrypted passwords; some records also contained truncated payment card numbers. The company stated the exposed financial data could not be used to conduct transactions, and reported no impact to in-store systems, Canadian Tire Bank, or Triangle Rewards.
Canadian Tire reported it remediated the underlying issue, notified regulators, and planned customer notifications and credit monitoring. Have I Been Pwned added the incident to its corpus, reporting roughly 42 million records (including ~38.3 million email addresses) and indicating the dataset includes PBKDF2 password hashes along with additional fields such as phone numbers and gender, increasing the likelihood of credential-stuffing and identity-fraud follow-on activity.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Have I Been Pwned adds Canadian Tire breach to its database
Have I Been Pwned added the Canadian Tire incident to its breach database and reported roughly 42 million exposed records, including about 38.3 million email addresses and PBKDF2 password hashes in the dataset. This provided additional public technical detail on the scale and contents of the exposed data.
Canadian Tire publicly discloses breach affecting over 38 million accounts
Canadian Tire disclosed that a 2025 breach exposed personal data linked to more than 38 million customer e-commerce accounts, including contact details, encrypted passwords, truncated credit card numbers, and in fewer than 150,000 cases full dates of birth. The company said it would notify affected users and offer credit monitoring.
Canadian Tire fixes breach and notifies regulators
After identifying the issue, Canadian Tire said it fixed the vulnerability and notified regulators. The company also stated that its e-commerce systems remained operational and that Canadian Tire Bank and Triangle Rewards were not affected.
Canadian Tire detects unauthorized activity in e-commerce database
Canadian Tire said it discovered unauthorized activity in a customer e-commerce database on 2025-10-02, marking the start of its identified breach incident. The exposure was tied to customer account data rather than in-store systems or other business units.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Have I Been Pwned: Canadian Tire Data Breach
haveibeenpwned.com
Open sourceCanadian Tire data breach affects over 38 million accounts | brief | SC Media
scworld.com
Open sourceteiss - News - Canadian Tire data breach exposes information from over 38 million customer accounts
teiss.co.uk
Open sourceCanadian Tire 2025 data breach impacts 38 million users
securityaffairs.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Have I Been Pwned Adds Quitbro and Lovora Breaches Linked to Plantake
Have I Been Pwned (HIBP) added two alleged February 2026 breaches affecting *Plantake*-made mobile apps: porn addiction app **Quitbro** and couples/relationship app **Lovora**. Quitbro exposure is listed as **sensitive** and not publicly searchable on HIBP; it allegedly impacted **23k** unique email addresses and included years of birth, in-app questionnaire responses, and users’ last recorded relapse time. Lovora allegedly exposed **496k** unique email addresses along with display names, profile photos, and other personal information collected through app usage; in both cases, Plantake reportedly did not respond to multiple contact attempts. Separately, Canadian retailer **Canadian Tire** disclosed an **October 2025** breach of an e-commerce customer database affecting **38+ million** accounts, with exposed data including names, addresses, emails, year of birth, and **PBKDF2** password hashes; a smaller subset included full dates of birth and some records included truncated payment card data. The company stated in-store transactions and certain business units (e.g., Canadian Tire Bank and Triangle Rewards) were not impacted, and it reported remediation, regulatory notification, customer outreach, and credit monitoring; HIBP also added the Canadian Tire dataset, but it is a distinct incident from the Plantake app breaches.
Mar 27, 2026
Dutch Organizations Report Data Breaches and Extended Unauthorized Access
Dutch authorities reported a prolonged compromise at the Dutch prisons agency **DJI**, where attackers reportedly maintained access for at least **five months**. Exposed information included staff **email addresses, phone numbers, and security certificates**, and the Dutch NCSC indicated the intruders also accessed **phones, tablets, and laptops**, though the extent of data access on those endpoints was not confirmed; DJI did not confirm whether access had been fully removed. Separately, Dutch telecom **Odido** disclosed a **data breach followed by an extortion attempt**, after which attackers publicly released about **1M records** (including **317k unique email addresses**) and threatened additional leaks. The published data reportedly included **names, physical addresses, phone numbers, bank account numbers**, and customer-service notes; Odido’s notice also warned that **dates of birth** and government ID numbers (passport/driver’s license) were impacted. A **Canadian Tire** breach entry describes a different incident in Canada (October 2025) involving ~**42M records** with PBKDF2-hashed passwords and some partial payment-card metadata, and is not part of the Netherlands-focused events above.
Mar 21, 2026
Toys R Us Canada Customer Data Breach and Online Leak
Toys R Us Canada notified customers that attackers accessed their customer database, stole personal information, and subsequently posted the data online. The breach was discovered on July 30, 2025, after threat actors claimed to have published the stolen data on the unindexed internet. The compromised information includes names, addresses, phone numbers, and email addresses, but does not include passwords, credit card details, or other highly confidential data. The company engaged third-party cybersecurity experts to investigate and contain the incident and is in the process of reporting the breach to Canadian privacy authorities. Customers have been advised to remain vigilant against phishing attempts and unsolicited communications that may impersonate Toys R Us. While the company has upgraded its IT security systems following the breach, it has not offered free identity or fraud monitoring services to affected individuals. The total number of impacted customers has not been disclosed, but the incident highlights the risks of identity fraud, phishing, and other malicious activities that can result from the exposure of personal information online.
Mar 21, 2026