More than 38 million accounts were affected by an October 2025 data breach at Canadian retail giant Canadian Tire.
The incident was discovered on October 2 and involved unauthorized access to an e-commerce database, the company said.
“The database contained basic personal information for customers who have an e-commerce account with one or more of Canadian Tire, SportChek, Mark’s/L’Équipeur and Party City,” the retail giant announced in October.
Canadian Tire said at the time that the compromised information included names, email addresses, dates of birth, encrypted passwords, and, in some cases, incomplete credit card numbers.
Fewer than 150,000 accounts had date of birth details compromised, the company said.
Canadian Tire also underlined that the password and credit card information could not be used to access users’ accounts or to perform fraudulent transactions and purchases, and that no Canadian Tire Bank information or Triangle Rewards loyalty data was compromised in the incident.
This week, the data set associated with the incident was added to the data breach notification website Have I Been Pwned.
According to the website, roughly 42 million records were compromised in the attack, including 38.3 million email addresses. In addition to the details shared by Canadian Tire, the leaked compromised data also includes addresses, phone numbers, and gender information.
“Passwords were stored as PBKDF2 hashes, and for a subset of records, dates of birth and partial credit card data were also included (card type, expiry, and masked card number),” Have I Been Pwned notes.
Canadian Tire has notified the affected individuals via email but has yet to publicly confirm the number of victims.
SecurityWeek has emailed the company for a statement on the matter and will update this article if it responds.
Related: 38 Million Allegedly Impacted by ManoMano Data Breach
Related: The Blast Radius Problem: Stolen Credentials Are Weaponizing Agentic AI
Related: WhatsApp Boosts Account Security for At-Risk Individuals
