Canada Goose Investigates Leak of 600,000 Customer Records Linked to Third-Party Breach
Learn More
Canada Goose, a Toronto-based luxury outerwear brand, is investigating a data leak after the ShinyHunters extortion group published approximately 600,000 alleged customer records.
The group claims the data contains personal and payment-related information. The threat actor attributes the breach to a third-party payment processor from in August 2025. Canada Goose stated it has found no evidence of a direct compromise of its own internal systems, but it's not clear if a third party was compromised,
The ShinyHunters group released a 1.67 GB archive in JSON format containing detailed e-commerce order records. Technical analysis of the data schema, which includes fields like "checkout_id" and "cart_token," suggests the information was stolen from a hosted storefront or payment processing platform.
The compromised data includes:
- Full names and email addresses
- Phone numbers
- Billing and shipping addresses
- IP addresses and order histories
- Partial payment card information (card brand, last four digits, and BIN)
- Payment authorization metadata
- Device and browser information
- Order values
The number of affected individuals is not clear since the company has not commented on the impact.
Canada Goose is reviewing the leaked dataset to assess its accuracy and determine the total scope of the exposure. The company confirmed that its initial investigation shows no evidence that unmasked financial data, such as full credit card numbers, was involved.
The organization has not yet announced if it will provide identity theft protection or credit monitoring services to the impacted customers as it continues to validate the records.
Security experts recommend that customers monitor their financial accounts for unauthorized charges and be careful of phishing attempts referencing specific past orders.
Update - Canada Goose claims that the advertised 600,000 records by ShinyHunters are from an old incident and there are no signs of a recent compromise. The company did not disclose how old the data is, how it was originally stolen, and how many customers are affected.
