Canadian Tire’s Breach Exposure: Lunar’s View of Its Compromised Credential Risk

On October 2, 2025, Canadian Tire (canadiantire.ca) reported a cybersecurity incident that disrupted parts of its digital environment. For security teams, the attack followed a familiar pattern, in which cybercriminals utilized stolen credentials to access a system instead of more familiar strategies, like exploits and zero‑days.

Like many large organizations, Canadian Tire doesn’t operate on a single domain. It relies on several related domains, including cantire.com, to run everyday services. Lunar’s telemetry shows that credentials tied to both canadiantire.ca and cantire.com were exposed over an extended period before the incident took place. That exposure created a long‑running window in which attackers could quietly buy or reuse real accounts and walk in through the front door.

Executive Snapshot

• Primary brand: Canadian Tire (canadiantire.ca)
• Exposed credentials (canadiantire.ca): ~6 distinct accounts
• Exposed credentials (cantire.com): ~82 distinct accounts
• Infostealer families seen: LummaC2, Rhadamanthys, Vidar
• Exposure windows:
  • canadiantire.ca: May 2025 – January 2026 
  • cantire.com: May 2025 – November 2025
• Affected services: SSO gateways and third‑party portals that were accessed from a mix of corporate and personal Windows devices

While six exposed accounts on the main brand and 82 on a related domain may not sound catastrophic, those accounts often sit at the center of workflows, single sign‑on, and shared portals. One compromised SSO login can act like a skeleton key for multiple systems across Canadian Tire’s ecosystem.

What Lunar Saw Before the Canadian Tire Incident

Starting in May 2025, Lunar detected infostealer logs tied to Canadian Tire’s identity footprint. Credentials connected to canadiantire.ca popped up occasionally for months, while cantire.com saw a steadier drip of exposures right up to the October 2 breach, and for a whole month after.

Those logs weren’t just lists of email addresses and passwords. They typically contained:

• Saved usernames and passwords for canadiantire.ca, cantire.com, and related portals.
• Live session cookies and tokens that can sometimes stand in for a password or even skip an MFA prompt.
• Autofill details, including corporate email patterns and URLs for SSO and third‑party apps.

For threat actors, these logs are a goldmine that provide a ready made bundle, including accounts that can log into SSO and valid cookies. Because employees and contractors often use the same credentials across canadiantire.ca and cantire.com, a single infection on one Windows laptop can simultaneously expose multiple Canadian Tire properties, namely internal tools, partner portals, and customer‑facing services all tied back to the main brand.

Infostealers and The Value of Compromised Credentials 

Prior to the Canadian Tire incident, Lunar observed the LummaC2, Rhadamanthys, and Vidar malware families. These types of malware weren’t designed to crash machines or distribute ransom notes. Instead, they sit inside browsers quietly taking information. 

Once they land on a device, usually through a phishing email, a malicious ad, or a cracked download, they begin collecting:

• Saved passwords stored on browsers
• Session cookies
• Autofill and system data that details a victim’s digital life

That output enables attackers to log in to target networks, including SSO pages, with real credentials as if they were legitimate employees instead of exploiting some obscure security flaw. In the Canadian Tire incident, because canadiantire.ca is the flagship domain, accounts tied to it are especially valuable. One exposed SSO account anchored on canadiantire.ca may unlock access to cantire.com tools, partner systems, customer‑service dashboards, and more.

A Likely Attack Pattern in the Canadian Tire Incident 

We aren’t claiming that one of the compromised credentials detected by Lunar caused Canadian Tire’s October incident. But the pattern around canadiantire.ca and cantire.com mirrors how many modern breaches play out.

1. A device gets infected: An employee, contractor, or partner uses a Windows machine to log into Canadian Tire services and, at some point, runs a malicious installer, clicks a convincing phishing link, or grabs cracked software. This causes an infostealer like LummaC2 or Vidar to quietly land on the system.
2. The browser gives up its secrets: The malware scrapes stored logins, session cookies, and autofill data for canadiantire.ca, cantire.com, SSO portals, and business apps, which are then sent to a command‑and‑control server.
3. The logs hit the underground: The stolen credentials are bundled into logs, labeled by initial access brokers (IABs) according to company and domain, and sold, traded, or shared in underground channels. 
4. An attacker logs in with valid credentials: A buyer uses the valid credentials or cookies to log into Canadian Tire’s SSO or portals. If the account isn’t protected by things like phishing‑resistant MFA and device checks, that login can look completely routine to monitoring tools.

The Human Side: Home PCs, Shared Laptops, and Shadow IT

Lunar’s data shows infections tied to Canadian Tire accounts coming from both managed corporate machines and personal Windows devices. That matches typical work patterns, like: 

• Checking mail or dashboards from a home PC.
• Logging into partner or vendor portals from a shared family laptop.
• Keeping “remember me” turned on in browsers that also see gaming, streaming, and non-work related downloads.

These are ideal conditions from an attacker’s perspective. Personal devices rarely have the same EDR, patching discipline, or locked‑down configurations as corporate machines, but they still store valid corporate logins and cookies.

If one of those home PCs picks up LummaC2, it doesn’t matter how strong the firewall is back at HQ. The browser on that home machine is already holding the keys to the entire system.

Credential Theft Defense

The combined exposure across canadiantire.ca and cantire.com underscores how passwords and sessions are now part of your attack surface, just like exposed ports and unpatched servers. A few practical shifts can make a real difference:

• Phishing‐resistant MFA: Avoid SMS and basic push notifications, particularly for SSO and highly‑privileged accounts. Hardware security keys and modern phishing-prevention methods will significantly reduce the value of stolen passwords and many session-replay attempts. 
• Check for compromised credentials: Treat any appearance of corporate credentials in infostealer logs as an active incident signal. Lunar and similar threat‑intelligence platforms are useful for identifying exposed accounts in near real-time, allowing quick password reset, token revocation and targeted investigation.
• Requiring “managed device only” for sensitive access: Limit access to SSO apps to devices that meet corporate security baselines. If needed, implement tougher conditional access policies and more powerful monitoring of unmanaged endpoints.

By combining strong identity controls with external visibility into pre‑breach credential exposure, organizations can shorten the time between theft and use, turning infostealer‑driven access from a silent breach enabler to a manageable and observable risk.

Disclaimer

This report is based on telemetry observed by Lunar and publicly available information. The findings presented are provided for informational purposes only. Lunar does not claim direct attribution, nor does it assert that the observed credential exposures were the definitive cause of the reported security incident. This analysis represents a correlation of temporal data points and does not constitute a “smoking gun” or identify “patient zero.”