Canadian Tire Data Breach
Canadian Tire Retail & Automotive Chain Breach (2025): 38 Million Customer Records Including Partial Credit Card Data & Passwords Exposed
Canadian retail company selling automotive, home, sports, and outdoor goods.
Risk Interpretation
Exposure enables phishing, fraud, loyalty abuse, and automotive-related scams. Combined retail and automotive data increases targeting precision.
Impact & Downstream Threats
On October 2, 2025, Canadian Tire detected unauthorized access to an e-commerce database spanning customer accounts for Canadian Tire, SportChek, Mark's, and Party City Canada. The company disclosed the incident publicly on October 14. Approximately 38 million unique email addresses were exposed alongside names, addresses, phone numbers, and encrypted passwords. For fewer than 150,000 accounts, full dates of birth and partial credit card data — card type, expiry, and masked number — were also in
- Credential stuffing against reused passwords across other platforms
- Financial fraud using exposed financial profile data
- Identity verification bypass using name + date of birth combination
- SIM swap attacks where phone numbers are present
- Targeted phishing campaigns using exposed email addresses
- Doxxing risk from physical address exposure
Threat Vectors
Breach Intelligence
Executive Summary
Canadian Tire, one of Canada's largest retail chains, suffered a data breach in October 2025 after an attacker gained unauthorized access to an e-commerce database through a misconfiguration. The breach affected customer accounts across four banners: Canadian Tire, SportChek, Mark's, and Party City Canada. The company detected the intrusion on October 2 and disclosed it publicly on October 14. A cybercriminal later listed the stolen database for sale on a hacking forum, asking $100,000 USD. Approximately 38.3 million records were exposed in total. The breach exposed names, email addresses, phone numbers, physical addresses, and passwords stored in an encrypted format known as PBKDF2 hashing. For a smaller subset of roughly 150,000 accounts, dates of birth and partial credit card data were also included. That partial card data consisted of card type, expiry date, and masked card number only. Canadian Tire stated that neither the partial card data nor the encrypted passwords could be used directly for transactions or account access. However, the combination of personal details across millions of records creates real risk. Attackers can use this kind of data to craft targeted phishing emails, impersonate customers, or attempt credential stuffing attacks against other accounts where people reuse passwords. Canadian Tire reported the breach to applicable Canadian privacy regulators and partnered with TransUnion Canada to notify customers whose records contained more sensitive data. Those individuals were offered credit monitoring services. No litigation or regulatory enforcement action had been publicly documented as of early 2026. Affected individuals should treat any email claiming to be from Canadian Tire or its banners with caution, change passwords used across any related accounts, and monitor their credit reports for unusual activity.
About Canadian Tire
Canadian Tire Corporation is one of Canada's largest and most recognized retailers, operating nearly 1,700 stores across the country under banners including Canadian Tire, SportChek, Mark's, and Party City Canada. Founded in 1922 and headquartered in Toronto, the company is publicly listed on the Toronto Stock Exchange. Its product categories span automotive, home, sports, and outdoor goods. Canadian Tire Bank and the Triangle Rewards loyalty program operate as separate financial and loyalty infrastructure.
Why They Hold Your Data
Multi-category retailers collect customer identity data, emails, phone numbers, addresses, purchase records, and loyalty program data across retail and automotive services.
Recent Developments
Canadian Tire has maintained its position as a dominant Canadian retail brand across multiple product categories. The company has invested in digital retail infrastructure and its loyalty ecosystem. The October 2025 breach represented the most significant cybersecurity event in the company's recent history and one of the largest retail data breaches in Canadian history by affected account count.
Data Points Exposed
Exposure Categories
Canonical Fields
credit_card:partial, date_of_birth, email_address, full_name, gender, password, phone_number, physical_address
Dark Web Verification
- Dataset containing ~38.3M records identified in breach intelligence sources
- Data indexed and searchable across breach notification platforms
- Source: Canadian Tire Data Breach
Recommended Actions
⚠️ Do not assume this is low sensitivity.
Protect Yourself
Check If You’re Affected
Enter your email to check if your data appears in this breach.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed.
High-Risk? Get an Exposure Audit
Full-spectrum exposure audits for executives and public figures.
ObscureIQ Advisory
We combine proprietary dark web access with commercial and restricted breach intelligence to verify exposure and assess real-world risk.
- A public-facing individual
- A high-profile executive
- A customer of Canadian Tire
- Or concerned about credential reuse
Powered by the ObscureIQ Breach Intelligence Database
© 2026 ObscureIQ · All Rights Reserved · Data Licensing
Latest from ObscureIQ
What Is Credit Monitoring? And Do I Want It? (Answer: Not Really)
Lock Down Browsers. Wipe Employee Footprints. Win Breach Wars.
Sextortion Spam