Canada Goose is investigating a newly surfaced customer dataset as Have I Been Pwned (HIBP) added the incident to its breach database earlier today, signaling that the leaked data has been verified as authentic.
The records, exposed by the ShinyHunters extortion group, contain detailed order information and partial payment card data.
HIBP lists the breach as affecting 581,900 unique email addresses across approximately 920,000 records. The service notes that 79% of the exposed email addresses were already present in its database from previous breaches. The most recent transaction date in the dataset is July 2025.
An entry on HIBP means the data has been validated as legitimate breach material, not simply an unverified claim. However, Canada Goose has not yet issued a formal public breach notice on its website. The company stated it is investigating the threat actor’s claims and indicated that the exposed information appears to relate to past customer transactions. It also claimed that the data originated from a third-party breach that occurred in August 2025.
Canada Goose is a Toronto-based luxury outerwear manufacturer with a global retail and e-commerce presence. The company generates significant direct-to-consumer sales through its online platform, making customer order systems and associated third-party service providers attractive targets for cybercriminal groups seeking monetizable data.
ShinyHunters added Canada Goose to its leak site earlier this week, advertising a 1.67GB archive allegedly containing more than 600,000 customer records. The dataset was released in JSON format and includes detailed e-commerce order records.
The exposed data includes:
- Names
- Email addresses
- Phone numbers
- Billing and shipping addresses
- IP addresses
- Device and browser information
- Order histories and purchase values
The records also contain partial payment card details, such as card brand and the last four digits of card numbers, and in some cases, the first six digits (BIN), along with payment authorization metadata.
While full payment card numbers do not appear to be present, the combination of identity data, contact information, and detailed purchase history significantly increases the risk of targeted phishing and social engineering attacks.
Customers who made purchases before July 2025 should remain alert for suspicious emails or phone calls referencing past Canada Goose orders. It is advisable to avoid clicking links in unsolicited messages, verify any communication directly through the company’s official website, enable multi-factor authentication on online accounts, and monitor financial statements for unauthorized activity.
Leave a Reply