Canadian Tire Breach: 38.3M Accounts — Passwords Exposed

Overview

In October 2025, Canadian Tire experienced a significant data breach that compromised the personal information of over 38 million individuals. The breach exposed a vast amount of sensitive customer data. While the company states that bank account and loyalty program data were not impacted, the scale and nature of the information leaked make this a critical security incident requiring immediate attention from anyone who has shopped at Canadian Tire or used its online services.

What Was Exposed

The breached data is extensive and includes several key pieces of personal information:

• Email Addresses and Passwords: Login credentials were exposed. Passwords were protected with a strong hashing method (PBKDF2), which makes them difficult for criminals to immediately misuse, but they are still at risk.
• Personal Identifiers: Full names, phone numbers, and physical addresses.
• Financial Data: For a subset of records, partial credit card information was exposed, including the card type, expiry date, and a masked version of the card number.
• Sensitive Personal Data: Dates of birth were also included for some affected individuals.

Potential Impact

The combination of exposed data creates multiple serious risks. Criminals can use your name, address, phone number, and date of birth to commit identity theft, apply for credit in your name, or execute targeted phishing scams. While the credit card data was partial, when combined with other personal details, it could still facilitate fraud or be used in social engineering attacks to trick you or financial institutions into revealing more information. Your exposed email and hashed password also pose a risk. If you used the same password on other websites, attackers could attempt to access those accounts.

Recommendations

If you have ever had an online account with Canadian Tire or made an online purchase, take these steps immediately:

1. Change Your Password: Change your password for your Canadian Tire account immediately. If you have used this same password on any other website or service, change it on those sites as well. Use a strong, unique password for every important account.
2. Enable 2FA: If Canadian Tire offers two-factor authentication (2FA), enable it. This adds a critical extra layer of security to your account.
3. Monitor Financial Statements: Carefully review statements for your Canadian Tire credit card and any other cards you may have used with the company. Look for any unauthorized transactions, no matter how small, and report them to your bank immediately.
4. Beware of Phishing: Be extremely cautious of emails, texts, or calls claiming to be from Canadian Tire, your bank, or any service asking you to verify account details, click links, or download attachments. Do not click on links in unsolicited messages. Contact the company directly through their official website or customer service number.
5. Consider a Credit Freeze: Given the exposure of personal identifiers, you may want to place a fraud alert or security freeze on your credit reports with Equifax and TransUnion. This makes it much harder for identity thieves to open new accounts in your name.

How to Check If You’re Affected

This breach has been reported to the free notification service “Have I Been Pwned.” You can visit their website directly to check if your email address was involved in this or any other known data breach: https://haveibeenpwned.com/Breach/CanadianTire. Simply enter your email address on their main page to see a report. Regardless of the result, if you are a Canadian Tire customer, it is prudent to follow the recommendations above as a precautionary measure.