CRISPR/Cas9 is a powerful genome-editing tool, but spurious off-target edits present a barrier to therapeutic applications. To understand how CRISPR/Cas9 discriminates between on-targets and off-targets, we have developed a single-molecule assay combining optical tweezers with fluorescence to monitor binding to λ-DNA. At low forces, the Streptococcus pyogenes Cas9 complex binds and cleaves DNA specifically. At higher forces, numerous off-target binding events appear repeatedly at the same off-target sites in a guide-RNA-sequence-dependent manner, driven by the mechanical distortion of the DNA. Using single-molecule Förster resonance energy transfer (smFRET) and cleavage assays, we show that DNA bubbles induce off-target binding and cleavage at these sites, even with ten mismatches, as well as at previously identified in vivo off-targets. We propose that duplex DNA destabilization during cellular processes (for example, transcription, replication, etc.) can expose these cryptic off-target sites to Cas9 activity, highlighting the need for improved off-target prediction algorithms.