Canadian Tire data breach exposes information from over 38 million customer accounts

Canadian Tire disclosed that a data breach discovered Oct. 2, 2025, exposed personal information tied to more than 38 million customer accounts after unauthorized activity was identified in an e-commerce database.

The breach affected approximately 38 million unique accounts and ranks among the largest retail data exposures in Canada. Canadian Tire Corporation, a publicly traded retail company listed on the Toronto Stock Exchange under CTC and CTC.A, said the incident was limited to its e-commerce environment and did not impact in-store transactions. All e-commerce systems remain operational.

The compromised data includes names, email addresses, phone numbers, physical addresses, year of birth and encrypted passwords. Fewer than 150,000 accounts contained full dates of birth. In some cases, partial credit card information such as card type, expiration date and masked card numbers was also exposed. The company stated that the truncated payment data cannot be used to access accounts, conduct transactions or complete purchases.

Canadian Tire confirmed that no bank account information was compromised and that Canadian Tire Bank, its financial services division, and the Triangle Rewards loyalty program were not affected. In-store systems were also not impacted.

The company secured the affected systems after detecting the unauthorized activity and notified regulators. Canadian Tire said it will contact affected customers directly and offer credit monitoring services to individuals whose information was involved.

The breach was added Feb. 25, 2026, to the database of Have I Been Pwned, a website that tracks publicly known data compromises. The listing indicates that approximately 42 million records were included in the dataset, including about 38.3 million unique email addresses.

The exposed dataset contains dates of birth, email addresses, gender information, names, partial credit card data, passwords, phone numbers and physical addresses. Passwords were stored as PBKDF2 hashes, a widely used key derivation function designed to protect stored credentials. Security risks remain if customers used weak or reused passwords, which could be vulnerable to offline cracking attempts.