
Canadian Tire’s October 2025 data breach, which exposed tens of millions of customer records, has now been added to Have I Been Pwned (HIBP), listing 38.3 million unique email addresses from a total of 42 million records exposed.
The compromised dataset contains personal information including names, phone numbers, physical addresses, genders, and dates of birth. Passwords were stored as PBKDF2 hashes, and for a subset of accounts, the data also included partial credit card information, specifically card type, expiry date, and masked card numbers.
The breach itself occurred in October 2025 and was publicly disclosed shortly after discovery. Canadian Tire Corporation (CTC) said it detected unauthorized activity on October 2, 2025, affecting a specific e-commerce database. The impacted system supported online accounts for Canadian Tire and its affiliated retail brands, including SportChek, Mark’s/L’Équipeur, and Party City. The company stated at the time that the vulnerability was quickly resolved and that the incident did not impact Canadian Tire Bank systems or the Triangle Rewards loyalty program.
Canadian Tire Corporation is one of Canada’s largest retailers, operating hundreds of stores nationwide and maintaining a substantial e-commerce presence. Beyond its flagship Canadian Tire brand, the company owns several major retail chains spanning sporting goods, apparel, and party supplies. Its digital platforms handle millions of customer accounts, making the scale of the exposed data particularly significant.
In its November 2025 announcement, CTC clarified that the compromised database included basic personal details such as names, addresses, email addresses, and year of birth. While passwords were hashed, and credit card numbers were incomplete, the exposure still posed privacy and phishing risks. The company emphasized that full credit card numbers, CVVs, bank account information, and loyalty program data were not included in the affected database.
According to HIBP, approximately 86% of the exposed email addresses were already present in the service’s database from previous breaches.
Although CTC maintained that the stolen data was insufficient to directly access accounts or conduct fraudulent purchases, hashed passwords and partial financial data can still be leveraged in credential-stuffing campaigns, phishing attacks, and identity fraud attempts. PBKDF2 is a widely used password-hashing algorithm designed to slow down brute-force attacks, but its resilience depends heavily on implementation details, such as the iteration count and salt usage, that were not publicly disclosed.
Users who had accounts with Canadian Tire or its affiliated brands in October 2025 should reset account passwords, enable multi-factor authentication (MFA) where available, monitor financial statements and credit reports for suspicious activity, and stay vigilant for phishing emails.
If you liked this article, be sure to follow us on X/Twitter and also LinkedIn for more exclusive content.
