Giant Tiger Data Breach
Status: Confirmed
Breach Intelligence Summary
Entity: Giant Tiger · Actor: Unknown · Source: DataBreach.com / ObscureIQ intelligence
Attack: Social Engineering via Social engineering
Timeline: Breach (Mar, 2024) · Reported (Apr, 2024) · Leak (9/9/25)
Exposure: 2.8M+ records · Email, Home Address, Name, Names, Phone numbers, Physical addresses
Status: Confirmed · Risk: Moderate (Phishing / SIM swap)
Summary
What happened: We’re tracking a March 2024 incident at Giant Tiger (the Canadian discount retailer) in which a third-party vendor handling customer communications was compromised. On April 12 2024 a dataset claimed to be 2.8 million Giant Tiger customer records was posted on a criminal forum. Giant Tiger says the issue stemmed from a vendor and did not affect store systems or passwords/payment data. Data exposed (varies by customer): email addresses (2.8M claimed) and for many customers names phone numbers and physical addresses. Giant Tiger’s notices explain the exact fields differ depending on how you interacted with the brand (newsletter/account GT VIP loyalty pickup or home delivery). The forum post also claimed “website activity” was included which the company did not confirm. Threat actor / leak: The dump was advertised on BreachForums; some reporting attributes the listing to a user going by “ShopifyGUY.” Access on the forum required trivial “credits ” effectively making the data widely available. When: Giant Tiger detected a possible issue on March 4 2024 concluded by March 15 that customer information was involved and began customer notifications. The public leak listing appeared April 12 2024 . Company position & regulator notice: Giant Tiger says only contact information was affected (no passwords or payment data) that store systems were unaffected and that it notified the Privacy Commissioner of Canada. Why this matters Contact data at this scale enables convincing phishing and SMS fraud that can spoof Giant Tiger or delivery updates and targeted scams using real home addresses. If you shopped online joined GT VIP created an account or subscribed to emails you’re at elevated risk of follow-on social engineering. , Our take
Scope: The most defensible top-line number based on the leak listing and contemporaneous reporting is ~2.8M customer emails with subsets containing names phones and street addresses. Giant Tiger corroborates exposure of contact info for subsets of customers but does not confirm any “website activity” field. Vector: Third-party vendor exposure in a customer-engagement/marketing platform-consistent with a growing class of CRM supply-chain incidents. , Timeline
Mar 4 2024 – Giant Tiger detects possible vendor issue. Mar 15 2024 – Determines customer information involved; begins notifications. Apr 12 2024 – Dataset advertised on BreachForums; broad press coverage follows. , What customers should do (practical steps)
Expect phishing/texts purporting to be Giant Tiger or delivery updates; don’t click links-navigate directly to the site/app. Harden your accounts: use a password manager enable MFA where available and avoid reusing passwords across sites. Phone & mail hygiene: enable carrier call-screening treat unexpected “order” texts as suspicious, and watch for mailers referencing your GT activity.
About Giant Tiger
Giant Tiger is the organization affected by this breach. User data may have been generated through account creation, service usage, or business operations.
If you have interacted with Giant Tiger in any capacity, your data may be included in this breach.
Threat Actor: Unknown
The threat actor responsible for this breach has not been publicly identified or confirmed at this time.
- Social engineering
Breach Exploitation Status
Moderate
Status
Detected
Possible
Possible
Unknown
Unknown
3–5 years
Phone numbers and addresses change over time but remain valid long enough for sustained exploitation campaigns.
Data Points Exposed
Dark Web Verification
Status: Confirmed
- Dataset containing approximately 2.8M+ records has been identified in breach intelligence sources.
- The data is indexed and searchable across breach notification platforms.
Impact
This breach carries moderate risk due to the nature of exposed data fields and the scale of affected records.
- Targeted phishing referencing Giant Tiger accounts or services
- SIM-swap attempts where phone numbers are present
- Physical mail scams and address-based identity verification fraud
- Data broker enrichment and resale
Recommendations for Impacted Individuals
If you believe your information may be included:
Non-clients may request a breach impact review.
Giant Tiger account updates
Password reset requests
Verify directly through official channels.
Email compromise is often the first pivot point.
Frequently Asked Questions
In Mar, 2024, Giant Tiger experienced a data breach that resulted in the exposure of approximately 2.8M+ records containing personal information.
The exposed data includes Email, Home Address, Name, Names, Phone numbers, Physical addresses.
Approximately 2.8M+ records were affected based on current breach intelligence.
Yes. This breach is treated as confirmed based on data observed in breach intelligence platforms.
Data circulation has been detected across breach-sharing channels. Downstream exploitation risk exists based on the nature of the exposed fields.
Rotate passwords associated with Giant Tiger, enable multi-factor authentication on email and financial accounts, and monitor for suspicious activity.
Protect Yourself
Check If You’re Affected
Enter your email to check if your data appears in this breach.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed. Free forever.
High-Risk? Get an Exposure Audit
Executives, public figures, and high-net-worth individuals face elevated risk. Our team provides full-spectrum exposure audits and threat monitoring.
Corporate Accountability
Organizations that collect personal data have a duty to implement reasonable safeguards and to notify affected individuals when breaches occur.
Scope assessments may evolve as investigations continue. Users should not rely solely on early estimates when making risk decisions.
ObscureIQ Advisory
We combine proprietary dark web access with commercial and restricted breach intelligence to verify exposure and assess real-world risk.
- A public-facing individual
- A high-profile executive
- A customer of Giant Tiger
- Or simply concerned about credential reuse
We can confirm whether your information is circulating and evaluate downstream threat vectors.