Cyber Analysis Group - CyberAGroup - OSINT Darkweb Investigations  - Insider Threat - Crypto - Online threat & exposure - SOCMINT - Canadian

cyberagroup

 

UPDATE - March 19, 2026



Further to our last post (below) regarding the user "igotafeeling" on a web forum (not the "Dark Web Informer" as reported by most media outlets), who threatened to release over a billion pieces of Canadians' personally identifiable information (PII) stolen from Loblaw and Shoppers Drug Mart: today is the 19th, the deadline originally set by the hacker(s) for a response.

Interestingly, as of this morning, the original post by "igotafeeling" has been deleted. Given the lack of moderation on that specific forum, it is highly likely that the user deleted the thread themselves, effectively removing the public record of the threat and the sample links provided as proof of the compromise. Although the user account was new and only had created that single thread, the user profile was the highest paid "GOD" level.

While the threat actor indicated they attempted to contact Loblaw directly, the forum thread served as the primary public evidence of the incident, contrasting sharply with Loblaw’s official March 10 news release. In that statement, the company characterized the event as a "low-level data breach". This leads to several pressing questions: were the hacker's massive claims of nearly a billion records actually true, and does the sudden deletion of the post mean that Loblaw paid a ransom?

As customers of Loblaw and Shoppers Drug Mart, we are left wondering if our personal information, including credit card details and highly sensitive pharmacy prescriptions, is actually secure or already in the hands of bad actors. It will be telling to see if Loblaw or government regulators offer any further transparency now that the deadline has passed. If this breach was even a fraction of what was claimed, it is vital that the mainstream media and our government seek definitive answers regarding the safety of Canadian PII.

 

ORIGINAL POST:

 

Loblaw has been hacked, but don't worry, the company says it's just a "low-level data breach," with the company admitting "some basic customer information" has been stolen.

Here is what the hackers have to say:

"so looks like loblaw's genius idea is to just ghost us and lie to everyone. they really couldn't care less about their customers or investors.

this wasnt some basic "low-level" breach. heres just a taste of what we got below (this is not all data):

- Salesforce "Contact" Object - 75.1M rows of customer PII (names, emails, phones, addresses, loyalty wallet IDs, health card numbers, marketing opt-ins & much more)

-SDM (Shoppers Drug Mart) Hybris prod DB - 724.9M rows including hundreds of millions of carts, millions of users (with passwords, tokens, loyalty IDs, payment info including credit card numbers and expiries), millions of orders, millions of addresses & more

-129.9M pharmacy fill request records (emails, birthdates, phone numbers, prescription numbers, patient IDs)

-120.4M e-commerce fraud-feed records (order details, payment card BINs/last-four/expiry, billing+delivery addresses, names, emails)

-Delivery Ops Portal Postgres dump - 20.2M rows across orders, deliveries, postal codes, store data, users & more

-GitLab - 3,014 projects full source code (& more)

-Oracle IDCS export - 19.3M user identity records (credentials state, MFA devices, emails, phones, addresses & more)

-SFMC - 55.3M marketing/email records across 673 tables (subscribers, send logs, campaign inclusions, credit card expiry reminders & more)

Many, many more hundreds of millions of rows across several databases

loblaw has until march 19th to reach out to us, if they dont, all this data (& more) will be publicly leaked"

CyberAGroup has scrutinized data samples leaked by the hackers, and the reality is this is not some "low-level data breach," whatever that means. While these bad actors often exaggerate for leverage, the devastating truth remains that Canadian corporations can simply minimize the wreckage and walk away unscathed. They offer two years of credit monitoring, a hollow gesture, and then it is back to business as usual. Meanwhile, millions of Canadians are left to face the lifelong fallout of fraud, identity theft, and exploitation. The company claims one thing; the hackers claim another. On March 19th, perhaps we will see who was really telling the truth.