Canadian Tire Breach: 38.3M Accounts — Passwords Exposed

Overview

In October 2025, Canadian retailer Canadian Tire confirmed a data breach exposing nearly 42 million records - 38.3 million unique email addresses - alongside names, phone numbers, physical addresses, passwords, and partial credit card numbers. The breach, reported to Have I Been Pwned, is one of the largest in Canadian retail history. While Canadian Tire has not disclosed how attackers gained access, the scale suggests a system-wide compromise. Victims span current and former customers, potentially including anyone who ordered online or used a loyalty program. The data is now circulating on criminal forums, posing immediate identity theft and financial fraud risks.

What Was Exposed

The breached dataset includes:

• Email addresses: Primary identifiers for phishing and credential-stuffing attacks.
• Passwords: Stored as PBKDF2 hashes - a strong hashing algorithm, but hashed passwords can still be cracked offline, especially weak ones.
• Names, phone numbers, physical addresses: Enables targeted social engineering and physical-world harassment.
• Dates of birth: A key piece for synthetic identity fraud.
• Partial credit card details: The severity of this number is unclear, but any exposure increases card-not-present fraud risk. Canadian Tire has not confirmed if full card numbers or expiration dates were included.

Account Takeover Risks

The password exposure is the most urgent threat. Even with PBKDF2 hashing, attackers can use GPU clusters to crack weak or reused passwords. Anyone who reuses passwords across sites is vulnerable: attackers will test compromised credentials on banking, email, and social media accounts. This style of “credential stuffing” is automated and difficult to detect until a secondary account is accessed.

Canadian Tire account holders should immediately reset their passwords and enable multi-factor authentication. Do not reuse the same password on other services.

Identity Theft Risks

The combination of names, addresses, phone numbers, dates of birth, and partial credit cards creates fertile ground for identity theft. Attackers can apply for credit lines, open utility accounts, or file fraudulent tax returns using this data. The Canadian Anti-Fraud Centre warns that such data “fullz” (full identity packages) sell for $10–$30 per record on dark web markets.

Victims should place fraud alerts with Equifax and TransUnion, freeze their credit files, and monitor credit reports for unauthorized inquiries. Consider Canada’s free credit monitoring service through the federal government’s Consumer Reporting Agencies.

How to Check If You’re Affected

Visit Have I Been Pwned and enter your email address. The site will confirm if your data appears in the breach and which fields were exposed. Canadian Tire has not yet provided a standalone lookup tool. If you receive a notification from Canadian Tire directly, treat it as genuine, but cross-check with HIBP to verify.

Security Insight

Canadian Tire’s use of PBKDF2 hashing suggests they understood password security requirements, but the breach’s scale points to a systemic failure in access controls, network segmentation, or monitoring. In the retail sector, this breach parallels the 2018 Marriott/Starwood and 2024 Ticketmaster incidents, where third-party access and weak internal segmentation led to mass data leaks. The lesson: strong cryptography cannot compensate for porous perimeter defenses. Companies must treat hashing as a backup, not a shield, and invest in real-time breach detection and least-privilege access controls.

Further Reading

• All Critical Breaches
• Recent Data Breaches