Loblaw Companies Limited
Between May 12, 2017 and July 7, 2017, automated ?credential stuffing? attacks occurred against web properties owned by the Organization. High traffic volumes led the Organization to investigate what appeared to be unauthorized access to user accounts and identified the logins that were likely unauthorized.
On June 13, 2017, the Organization received telephone calls from users reporting they received an automated message from one of the Organization?s online sites indicating their user profile had changed. The users had not changed their profile. The Organization immediately deactivated affected user accounts and loyalty cards. The Organization believes that stolen credentials (email addresses and passwords) from other mass breaches were used to access accounts on the Organization?s web properties.