Full Report
In October 2025, retailer Canadian Tire was the victim of a data breach that exposed almost 42M records. The data contained 38M unique email addresses along with names, phone numbers and physical addresses. Passwords were stored as PBKDF2 hashes and for a subset of records, dates of birth and partial credit card data were also included (card type, expiry and masked card number). In its disclosure notice, Canadian Tire advised that the incident did not impact bank account information or loyalty program data.
Analysis Summary
# Incident Report: Canadian Tire Mass Data Breach (Oct 2025)
## Executive Summary
In October 2025, Canadian retailer Canadian Tire suffered a significant data breach resulting in the compromise of approximately 42 million records, including 38 million unique email addresses, personal identifiers, and hashed passwords. While sensitive financial data like bank information was explicitly excluded, partial credit card details and dates of birth were exposed for a subset of users. The organization issued a disclosure notice following the discovery.
## Incident Details
- Discovery Date: Information not explicitly detailed, but breached data was added to HIBP on February 25, 2026.
- Incident Date: October 2025
- Affected Organization: Canadian Tire
- Sector: Retail
- Geography: Canada (Implied)
## Timeline of Events
### Initial Access
- Date/Time: October 2025 (Approximate)
- Vector: Unknown based on provided text.
- Details: Attackers successfully breached the retail system.
### Lateral Movement
- Date/Time: Post-Initial Access
- Vector: Unknown based on provided text.
- Details: Not specified in the source material.
### Data Exfiltration/Impact
- Date/Time: Post-Initial Access/During Incident Window
- Vector: Data Theft
- Details: Credentials (PBKDF2 hashes), 38M unique emails, names, phone numbers, physical addresses, DOBs, and partial credit card data (type, expiry, masked number) were exfiltrated.
### Detection & Response
- Date/Time: Prior to February 25, 2026
- Vector: Internal detection or external notification leading to disclosure.
- Details: Canadian Tire issued a disclosure notice; users were subsequently advised to change passwords and enable 2FA.
## Attack Methodology
- Initial Access: Unknown
- Persistence: Unknown
- Privilege Escalation: Unknown
- Defense Evasion: Unknown
- Credential Access: Implied access to password hashes.
- Discovery: Unknown
- Lateral Movement: Unknown
- Collection: Collection of customer PII and partial payment details.
- Exfiltration: Exfiltration of collected data.
- Impact: Mass exposure of customer credentials and PII.
## Impact Assessment
- Financial: Unknown (No specific costs provided).
- Data Breach: **Approximately 42M total records** compromised, containing:
- **38M unique email addresses**
- Names, Phone Numbers, Physical Addresses
- Passwords (stored as PBKDF2 hashes)
- Dates of Birth (subset)
- Partial Credit Card data (Card Type, Expiry, Masked Number) (subset)
- *Note: Bank account information and loyalty program data were confirmed **not** impacted.*
- Operational: Unknown (No specific business disruption details provided).
- Reputational: Significant breach affecting a major national retailer.
## Indicators of Compromise
- **Network indicators:** None provided (Defanged).
- **File indicators:** None provided.
- **Behavioral indicators:** None provided.
## Response Actions
- **Containment measures:** Not specified.
- **Eradication steps:** Not specified.
- **Recovery actions:** Disclosure notice was issued to the public. Users were advised to take immediate action.
## Lessons Learned
- The use of PBKDF2 for password hashing suggests modern security practices were employed for authentication material, mitigating direct plaintext compromise.
- Failure to fully prevent system access resulted in the exposure of PII and partial payment data.
- The need for comprehensive monitoring to detect data staging and exfiltration earlier than when the data was confirmed to be public (via HIBP).
## Recommendations
- Implement mandatory Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA) for all customer accounts to mitigate the risk associated with compromised password hashes.
- Review segmentation and access controls to limit the blast radius of future incidents, especially concerning systems holding partial financial identifiers.
- Accelerate the transition to stronger, modern password hashing algorithms if PBKDF2 iterations are determined to be insufficient against current cracking capabilities.