Canada Goose confirms data leak - around 600,000 customers thought to be affected

News
By published

Luxury retailer Canada Goose says data was leaked, but argues it wasn't breached

Zero-day attack
(Image credit: Shutterstock) (Image credit: Shutterstock.com)
  • ShinyHunters leaks 600,000 Canada Goose customer records with personal and partial payment data
  • Company denies breach, says dataset stems from past transactions, likely via third-party processor
  • Limited card data still poses phishing and fraud risks through tailored social engineering

Hackers have leaked hundreds of thousands of customer records belonging to luxury clothing brand Canada Goose - but the company claims it wasn’t breached.

Notorious ransomware operators ShinyHunters recently added Canada Goose to its data leak site, claiming to have stolen more than 600,000 customer records.

The samples, reviewed by BleepingComputer, contained “detailed e-commerce order records” which included people’s names, email addresses, phone numbers, billing and shipping addresses, IP addresses, and order histories.

Breaching a third party

The data also included partial payment card information, including card brand, last four digits, and in some cases - the first six digits and payment authorization metadata.

At the same time, the retailer said the dataset was from past customer transactions, and not from a breach:

"Canada Goose is aware that a historical dataset relating to past customer transactions has recently been published online," the company said.

"At this time, we have no indication of any breach of our own systems. We are currently reviewing the newly released dataset to assess its accuracy and scope and will take any further steps as may be appropriate. To be clear, our review shows no evidence that unmasked financial data was involved. Canada Goose remains committed to protecting customer information."

There might be truth to those claims, though, since ShinyHunters told BleepingComputer that the data came from an August 2025 breach at a third-party payment processor, and the publication says the dataset’s schema “closely resembles” e-commerce checkout exports.

Obviously, the name of the breached entity was not shared.

While full payment information not being leaked is definitely good news, hackers can do plenty of damage with limited data, as well. This type of information could be used in highly sophisticated, tailored phishing attacks, which could lead to compromised accounts and even wire fraud.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.