Canada Goose investigating as hackers leak 600K customer records

Canada Goose is investigating a data leak involving more than 600,000 customer records after the ShinyHunters group added the luxury outerwear brand to its data leak site this week. The exposed dataset, totaling 1.67 GB in JSON format, contains detailed e-commerce order records including customer names, email addresses, phone numbers, billing and shipping addresses, IP addresses, and order histories.

ShinyHunters data leak site listing Canada Goose and 600K records (BleepingComputer)

While the dataset does not appear to contain full payment card numbers, it includes partial payment information such as card brand, the last four digits of card numbers, and in some cases the first six digits (BIN), along with payment authorization metadata. The records also include purchase history, device and browser information, and order values, potentially allowing attackers to profile high-value customers.

Founded in 1957 and headquartered in Toronto, Canada Goose is a performance luxury outerwear brand with a global retail footprint and nearly 4,000 employees. The company told BleepingComputer that the dataset appears to relate to past customer transactions and that it has not found evidence of a breach of its own systems.

"Canada Goose is aware that a historical dataset relating to past customer transactions has recently been published online," the company stated. "At this time, we have no indication of any breach of our own systems. We are currently reviewing the newly released dataset to assess its accuracy and scope and will take any further steps as may be appropriate. To be clear, our review shows no evidence that unmasked financial data was involved. Canada Goose remains committed to protecting customer information."

ShinyHunters, when questioned by BleepingComputer about whether the Canada Goose data was obtained through recent social-engineering attacks targeting single sign-on (SSO) accounts and cloud environments, claimed the dataset was unrelated. The group stated it originated from a third-party payment processor breach and dates back to August 2025. BleepingComputer has not independently verified this claim.

The dataset's schema, including field names like checkout_id, shipping_lines, cart_token, and cancel_reason, closely resembles e-commerce checkout exports commonly associated with hosted storefront and payment processing platforms, which may help explain how the data could have originated from a third-party service provider.

Who is ShinyHunters?

ShinyHunters is a prolific data extortion group known for stealing and leaking large volumes of customer data from major brands and online services. The group has been linked to numerous high-profile breaches and data theft incidents in recent years, often targeting e-commerce platforms, SaaS services, and cloud environments.

In recent reporting, security researchers have tied the group to vishing and social-engineering campaigns used to gain access to corporate accounts and cloud data. Stolen data is typically used for extortion, sold on underground forums, or published on the group's leak site when victims refuse to pay.

The exposed information, while not containing full payment card numbers, could still be used for targeted phishing, social engineering, and fraud. The combination of personal details, partial payment information, and purchase history creates a comprehensive profile that attackers could exploit.

It is not yet known how many Canada Goose customers may be affected or whether individuals will be notified. The company says it is continuing to review the dataset to determine its accuracy and scope.

This incident highlights the ongoing risks associated with third-party service providers and the potential for customer data to be compromised even when a company's own systems remain secure. As data breaches continue to plague organizations across industries, the importance of robust vendor management and data protection practices becomes increasingly critical.