Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Mar 03, 2026 · 5 min read

38 Million Email Addresses Stolen From Canadian Tire—86% Were Already Exposed in Past Breaches

A massive breach at one of Canada's largest retailers leaked names, phone numbers, physical addresses, and hashed passwords alongside 38 million email addresses.

Canadian Tire Corporation, one of Canada's largest retailers, disclosed a data breach that exposed nearly 42 million records, including 38.3 million unique email addresses. The breach, discovered on October 2, 2025, affected customers with accounts across Canadian Tire, SportChek, Mark's, and Party City. When the stolen data was loaded into the breach notification service Have I Been Pwned on February 25, 2026, a striking statistic emerged: 86% of the exposed email addresses had already appeared in previous data breaches.

Scattered shopping receipts and customer data cards representing exposed personal information from a retail data breach

What Was Exposed

The breach compromised a wide range of personal information from Canadian Tire's e-commerce database. The stolen data included full names, email addresses, phone numbers, physical addresses, genders, and dates of birth. Passwords were stored as PBKDF2 hashes, which is a standard encryption method, though the security of those hashes depends on implementation details like iteration count and salt that Canadian Tire has not disclosed.

For a subset of records, the breach also exposed partial credit card data: card type, expiration date, and masked card numbers. Canadian Tire stated that the breach did not affect bank account information, full credit card numbers, CVV codes, or Triangle Rewards loyalty program data.

Why 86% Already Being Exposed Matters

The fact that 86% of the affected email addresses had already appeared in other breaches tells a larger story about the state of online security. When the same email address appears across multiple breaches, attackers can cross reference datasets to build increasingly detailed profiles of individuals. A hacker who already has your email and password from one breach now also has your phone number, home address, and date of birth from another.

This layering effect makes each subsequent breach more dangerous than the last. Even if Canadian Tire's passwords were well hashed, attackers can use the other personal information for targeted phishing emails, phone scams, identity theft, and social engineering attacks that reference details only a legitimate company should know.

The Delayed Disclosure Problem

Canadian Tire detected unauthorized activity on October 2, 2025, and stated the vulnerability was "quickly resolved." However, the breach did not appear on Have I Been Pwned until February 25, 2026, nearly five months later. During that window, affected individuals may not have known their data was compromised and would not have taken steps to secure their accounts.

This delay is not unusual. Companies often take months to fully investigate a breach before notifying affected users, and the data frequently circulates in underground markets before it reaches public notification services. By the time you hear about a breach, the data may have already been sold, traded, and used.

Four Brands, One Database

The breach affected customers of four distinct retail brands: Canadian Tire, SportChek, Mark's (known as L'Equipeur in Quebec), and Party City. All four share the same e-commerce infrastructure under the Canadian Tire Corporation umbrella. This means a customer who created an account on any one of these retail sites had their data exposed, even if they had never shopped at the other three.

This is a common risk with corporate conglomerates. When multiple brands share a backend database, a single vulnerability exposes customers across the entire portfolio. Shoppers rarely realize that creating an account on a sporting goods site also links their data to a hardware store, a clothing retailer, and a party supply chain.

What You Should Do

If you have ever created an account with Canadian Tire, SportChek, Mark's, or Party City, take these steps now:

  • Change your password on any of these sites immediately. If you used the same password elsewhere, change it there too
  • Enable two factor authentication on your email account and any financial services linked to the exposed email address
  • Watch for targeted phishing. Attackers now have your name, address, and phone number, so scam emails and texts may reference real details to look legitimate
  • Check Have I Been Pwned at haveibeenpwned.com to see if your email appeared in this or other breaches
  • Use unique passwords for every online account. A password manager makes this practical
  • Monitor your credit if your date of birth or partial card data was exposed, as these can be used for identity fraud

The Compounding Cost of Breaches

The Canadian Tire breach is a reminder that data breaches are not isolated events. Each one adds to a growing dossier that attackers maintain on millions of people. Your email address is the thread connecting these datasets. Once it appears in enough breaches, the accumulated personal details, passwords, addresses, phone numbers, and behavioral data, create a comprehensive profile that can be exploited in ways no single breach would allow.

The best defense is to treat your email address as a primary identity that needs protection. Use a password manager, enable multi factor authentication everywhere it is available, and be skeptical of any message that seems to know too much about you. In an era where 86% of breach victims have already been breached before, the question is not whether your data has been exposed, but how many times.