Data Breaches Canadian Tire Data Breach Impacts 38 Million Accounts Names, addresses, email addresses, phone numbers, and encrypted passwords were compromised in the attack. By Ionut Arghire | February 28, 2026 (6:50 AM ET) Flipboard Reddit Whatsapp Whatsapp Email More than 38 million accounts were affected by an October 2025 data breach at Canadian retail giant Canadian Tire. The incident was discovered on October 2 and involved unauthorized access to an e-commerce database, the company said. “The database contained basic personal information for customers who have an e-commerce account with one or more of Canadian Tire, SportChek, Mark’s/L’Équipeur and Party City,” the retail giant announced in October. Canadian Tire said at the time that the compromised information included names, email addresses, dates of birth, encrypted passwords, and, in some cases, incomplete credit card numbers. Fewer than 150,000 accounts had date of birth details compromised, the company said . Canadian Tire also underlined that the password and credit card information could not be used to access users’ accounts or to perform fraudulent transactions and purchases, and that no Canadian Tire Bank information or Triangle Rewards loyalty data was compromised in the incident. Advertisement. Scroll to continue reading. This week, the data set associated with the incident was added to the data breach notification website Have I Been Pwned. According to the website, roughly 42 million records were compromised in the attack, including 38.3 million email addresses. In addition to the details shared by Canadian Tire, the leaked compromised data also includes addresses, phone numbers, and gender information. “Passwords were stored as PBKDF2 hashes, and for a subset of records, dates of birth and partial credit card data were also included (card type, expiry, and masked card number),” Have I Been Pwned notes. Canadian Tire has notified the affected individuals via email but has yet to publicly confirm the number of victims. SecurityWeek has emailed the company for a statement on the matter and will update this article if it responds. Related: 38 Million Allegedly Impacted by ManoMano Data Breach Related: The Blast Radius Problem: Stolen Credentials Are Weaponizing Agentic AI Related: WhatsApp Boosts Account Security for At-Risk Individuals Related: CarGurus Data Breach Impacts Over 12 Million Users Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Gambit Security Emerges From Stealth With $61 Million in Funding Zyxel Patches Critical Vulnerability in Many Device Models US Sanctions Russian Exploit Broker Operation Zero Cisco Patches Catalyst SD-WAN Zero-Day Exploited by Highly Sophisticated Hackers SolarWinds Patches Four Critical Serv-U Vulnerabilities Ex-US Defense Contractor Executive Jailed for Selling Exploits to Russia CarGurus Data Breach Impacts Over 12 Million Users Astelia Raises $35 Million for Exposure Management Latest News Trump Orders All Federal Agencies to Phase Out Use of Anthropic Technology In Other News: ATT&CK Advisory Council, Russian Cyberattacks Aid Missile Strikes, Predator Bypasses iOS Indicators 38 Million Allegedly Impacted by ManoMano Data Breach 900 Sangoma FreePBX Instances Infected With Web Shells Chilean Carding Shop Operator Extradited to US Anthropic Refuses to Bend to Pentagon on AI Safeguards as Dispute Nears Deadline Aeternum Botnet Loader Employs Polygon Blockchain C&C to Boost Resilience Juniper Networks PTX Routers Affected by Critical Vulnerability Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Identity Under Attack: Why Every Business Must Respond Now February 11, 2026 Attendees will walk away with guidance for how to build robust identity defenses, unify them under a consistent security model, and ensure business operations move quickly without compromise. Register Virtual Event: Ransomware Resilience & Recovery 2026 Summit February 25, 2026 SecurityWeek’s 2026 Ransomware Summit will discuss a roadmap for defending the enterprise, from mitigating root causes to mastering recovery, giving security teams the critical insights needed to navigate and neutralize today’s ransomware extortion threats. Submit People on the Move Predictive revenue system company Clari + Salesloft has named Peter Liebert as CISO. Nscale has appointed Latha Maripuri as Chief Information Security Officer. BreachRx has named Young-Sae Song as Chief Marketing Officer. More People On The Move Expert Insights Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Security in the Dark: Recognizing the Signs of Hidden Information Security failures don’t always start with attackers, sometimes they start with missing truth. (Joshua Goldfarb) Living off the AI: The Next Evolution of Attacker Tradecraft Living off the AI isn’t a hypothetical but a natural continuation of the tradecraft we’ve all been defending against, now mapped onto assistants, agents, and MCP. (Etay Maor) Why We Can’t Let AI Take the Wheel of Cyber Defense The fastest way to squander the promise of AI is to mistake automation for assurance, and novelty for resilience. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email