LCBO (Liquor Control Board of Ontario) Database Breached: 165,840 Customer Records Exposed from Ontario's Crown Corporation
A threat actor operating under the alias Spirigatito has released the customer database of LCBO (Liquor Control Board of Ontario), the Government of Ontario's Crown corporation responsible for the retail and wholesale distribution of beverage alcohol throughout the province and one of the largest single retailers of alcohol in the world. The listing claims a breach affecting 165,840 customer records, with each record containing the customer's name, email address, phone number, and account type.
A breach of the customer database of Ontario's provincially-owned alcohol retailer, exposing 165,840 records containing names, emails, phone numbers, and account types. High risk of targeted phishing, alcohol-themed scams, and impersonation campaigns against verified Canadian consumers.
Incident Summary
Incident Overview
A threat actor going by Spirigatito has posted a leak of LCBO (Liquor Control Board of Ontario) on a public cybercrime forum, signing the post "Breached by @👑 Spirigatito" and addressing the forum community directly with the line "Today I am leaking LCBO database." LCBO is a Crown corporation owned by the Government of Ontario, established in 1927 following the end of provincial prohibition, and serves as the primary retail and wholesale channel for beverage alcohol in Canada's most populous province. With more than 670 retail stores plus a national e-commerce platform at lcbo.com, LCBO is one of the largest single buyers and retailers of alcohol in the world. The listing describes the victim as "the official e-commerce and information platform for the Liquor Control Board of Ontario."
According to the listing, the breach affects 165,840 customers, with the seller stating that each record contains the following six fields: Account ID, First Name, Last Name, Email, Phone, and Account Type. The published JSON sample confirms this schema and reveals the following data categories:
- Account IdentifiersUUID-format accountId values that map each customer record to LCBO's internal account system, plus a "Customer" accountType label confirming these are retail consumer accounts rather than corporate or licensee accounts.
- Full NamesFirst and last names in plain text, with capitalisation inconsistencies suggesting raw user input rather than normalised fields.
- Email AddressesPersonal email addresses across major Canadian webmail providers.
- Phone Numbers10-digit North American phone numbers, with the area-code distribution consistent with Ontario coverage.
While the dataset is narrower than a financial breach (no payment card data, addresses, or order histories visible in the sample), the combination of name, email, and phone number tied to a verified LCBO customer account is highly weaponisable on its own. The data immediately enables targeted phishing campaigns referencing real LCBO branding, fraudulent loyalty-points or refund scams, and SIM-swap attempts using the phone numbers as starting points.
Compromised Data Categories
Screenshots
%20Database%20Breached%3A%20165%2C840%20Customer%20Records%20Exposed%20from%20Ontario's%20Crown%20Corporation){kind=link}