PC Plus and Canadian Tire Hacked, Users Urged to Change Passwords

Loblaws is urging its PC Plus rewards members to change their passwords, after the company told CBC News some members had points stolen from their accounts. PC Plus members use their accounts to access the accompanying iOS app to collect and redeem points in-store.

“We are treating this as a breach as individual member accounts were accessed and points were stolen,” said Kevin Groh, the company’s vice-president of corporate affairs and communication, told CBC News.

Screenshot 2017 02 09 10 29 13

Groh said members with weak passwords reused on multiple sites, fell victim to their PC Plus accounts being accessed. The company would not disclose how many accounts or points were taken, but did say they are working with customers to reinstate any lost points.

Last month, Loblaws emailed customers urging them to update passwords to stronger combinations of both letters, numbers and special characters. The PC Plus website now has an “important security reminder,” warning customers not to use the same username and password combinations across multiple online accounts.

Canadian Tire Suffers Break, Login Now Temporarily Disabled

Global News reported earlier this week Canadian Tire suspended logins on their website for customer accounts, which prevented users from seeing their Canadian Tire Money points balances and more. These same logins are used within the Canadian Tire iOS app.

Canadian Tire communications manager Stephanie Nadalin told Global, “We recently noticed unusual traffic on our website and suspended customer sign-in capabilities while we investigate.”

Screenshot 2017 02 09 10 34 59

The company reiterated no credit card information, including history is located on the Canadian Tire website or its loyalty database, which is the only site they have suspended logins, said Susan O’Brien, the company’s vice president of marketing and corporate affairs.

Customers started tweeting out to Canadian Tire on Sunday, demanding an explanation. The company replied to users to DM to let the company investigate further, only to say “we’re experiencing tech difficulties and have temporarily disabled log-ins.”

Canadian Tire did not state any public concern over the shutdown of its login system—until it was contacted by Global News. No timeframe has been given on when customer logins will be enabled again. The company did say there are “systems in place to monitor for unusual online activity to protect the personal information of our customers.”

If you have a PC Plus or Canadian Tire account, time to change your passwords if you’re reusing the same ones from other websites. In this day and age, if you’re not using a password manager like 1Password to generate unique passwords, you’re putting yourself at risk.

Founder and Editor-in-Chief of iPhoneinCanada.ca. Follow me on Twitter, and @iPhoneinCanada, and on Google+.

  • SV650

    “The PC Plus website now has an “important security reminder,” warning customers not to use the same username and password combinations across multiple online accounts.”

    Yet they demand my email as my username, reducing my options for unique credentials by fully 50%.

  • jabohn

    Also they only let you use 8 characters for the password. What the…

  • Kael

    My default passwords are 16 characters, upper, lower, numbers, and special characters. Everyone should be using a password manager. That’s the only way I can remember 120, sixteen character random passwords. I use Lastpass, free and very secure.

  • johnnygoodface

    They’re allowing up to 12 characters

  • jabohn

    How then? I’ve tried both the website and the app. The website won’t allow more than 8. The app just says between 6-8 characters only.

  • johnnygoodface

    Honestly, I ran into a problem resetting my password, so I had to call them, but eventually I was able to set a new 12 characters password. Cheers!

  • jabohn

    Official reply from PC Plus customer services: “Please be informed that to create a password, it is required to be 6-8 characters long.”