I'm hesitant to really disclose anything that might disclose some information to people that may want to target this for further exploit. Anyone who is tech-savvy should be able to find the breach on a known forum community that shares these breaches (like the 500+mill Facebook leak, for example) using some quick googling.
From what I was able to download and check out, it is simply just hashed passwords and emails. This however doesn't mean there isn't other information out there. Typically in this type of situation, E-mails and Passwords are more-so used to validate that a breach has happened. Personal information typically is sold for BitCoin or other Cryptocurrency markets in the darkweb for profit.
In saying this, after combing their site it does appear that they do their banking with TD Canada Trust as a direct deposit through them is listed as a means of payment. Their credit card processing form looks identical to the documentation that Bambora (Formerly BeanStream) provides, as they are the merchant partner for TD Canada Trust Business Clients. From experience I do know that if this is the case, the Credit Card information isn't stored, and instead forwarded through to the payment processor. However, that being said - theres really no way to confirm that they record any personal information like Credit Cards in a database prior to sending the information to Bambora (or any other merchant partner being used).
A quick way to know if your information is being stored on a website, is simply to login to your account to do another purchase. Anything you dont have to fill out again (PAL info, credit card, address, etc) is stored within their system in some way.
When a database is breached, it doesn't necessarily matter what is released, but we can assume everything is vulnerable. This breach was only put out in the web on April 5, 2022, and from the DB records I have checked and skimmed through, there is evidence of this not being a very recent breach.
Here is the last 3 records in the database dump file
id,username,email,password,reset_pin,registration_ date,last_login,confirmation,ip,role_id
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
79091,ravi_********@*****.com,ravi_********@*****. com,REMOVED FOR CONFIDENTIALITY,81883934,2021-03-29 13:34:30,2021-03-29 13:34:30,"",0,
79092,"",ari.*****@*******.com,REMOVED FOR CONFIDENTIALITY,"",2021-03-29 14:40:36,2021-03-29 14:40:37,"",638741489,
79093,jsc**@*******.net,jsc**@*******.net,REMOVED FOR CONFIDENTIALITY,59886044,2021-03-30 04:02:16,2021-03-30 04:02:17,"",3358809358,
Really what is upsetting here is that the information has been readily and publicly available since the 5th of April. We have 2 Cybersecurity programs that are sounding alarms for customers associated with this breach, yet their website is still online, accepting orders, and there hasn't been notice to customers as of yet until they "confirm" the breach.
There are 79k+ records of a database out there, and the customers do have a right to know. This website should have been placed on a maintenance mode page as soon as the threads started popping up.