
Goose Creek Candle Company has suffered a data breach exposing the personal information of 6.6 million customers, according to a new entry published by Have I Been Pwned (HIBP).
The breach was added to the service earlier today after HIBP received a copy of the dataset from the party behind emails sent to Goose Creek customers last month.
According to HIBP, the exposed data includes:
- Email addresses
- Names
- Phone numbers
- Physical addresses
- Order IDs
- Customers' total spending
The data appears to have been obtained from Goose Creek's Shopify instance. HIBP also noted that 84% of the email addresses were already present in its database from previous breaches.
Goose Creek is a Kentucky-based retailer specializing in scented candles, wax melts, room sprays, and other home fragrance products. The company primarily sells its products through its online store and has a large customer base across the United States.
The disclosure follows reports from June of customers receiving unsolicited emails from an unknown sender claiming Goose Creek had ignored reports of a security vulnerability. To support the claims, the sender included each recipient's personal information, including their name, address, phone number, email address, and order number. The emails also alleged that millions of customer records had been exposed and urged recipients to contact company management instead of customer support.

Because the messages originated from a suspicious email address and contained unusual wording, many customers who discussed them on Reddit believed they were part of a phishing campaign. However, the inclusion of the dataset by Have I Been Pwned confirms that the sender possessed genuine customer information.
Goose Creek has not publicly confirmed the breach or issued an official security advisory. However, Have I Been Pwned validates breach data before adding incidents to its database, lending credibility to the exposed dataset despite the absence of a public statement from the company. HIBP said Goose Creek was aware of the reports but was unable to provide further information at the time of publication.
There is currently no indication that passwords or payment card information were included in the exposed data. Nevertheless, affected customers should be cautious of phishing emails, text messages, or phone calls that reference their personal details or previous Goose Creek orders.







Leave a Reply