The hacker group ShinyHunters, one of the most prolific cybercrime collectives in the world, has published a database containing personal information of 600,000 Canada Goose customers, the Canadian luxury outerwear brand known for its premium parkas. The leak, totaling 1.67 GB of data, was posted on February 14, 2026 on the group's leak site.
What data was leaked
The exposed database contains highly sensitive information:
- Full names of customers
- Postal addresses (shipping and billing)
- Phone numbers
- Email addresses
- Partial credit card data (last 4 digits, expiration date, card type)
- Purchase history (products, amounts, dates)
- IP addresses from transactions
The scale of the leak
With 1.67 GB of data distributed across multiple CSV and JSON files, the leak includes records spanning from 2019 to August 2025. This means anyone who purchased from Canada Goose online in the last six years could be affected.
What Canada Goose says
Canada Goose issued a statement confirming the incident but attributing it to a third-party payment processor. According to the company:
- The breach occurred in August 2025 at a third-party payment processor
- Canada Goose's internal systems "were not directly compromised"
- The company was notified of the incident in September 2025
- Canada Goose hired a cybersecurity firm to investigate
- Affected customers "are being notified"
Criticism of Canada Goose's response
Cybersecurity experts have criticized several aspects of the response:
- 5-month delay between the breach (August 2025) and public notification (February 2026)
- Blaming the external vendor does not exempt Canada Goose from responsibility for their customers' data
- Not offering free credit monitoring to affected customers (as of this publication)
Who is ShinyHunters
ShinyHunters is a hacker group active since 2020 that has become one of the leading actors in global cybercrime. Their track record includes:
- 2020: Leak of 73 million records from 10 companies, including Tokopedia and Wishbone
- 2021: Microsoft GitHub data breach (500GB of source code)
- 2022: AT&T leak of 70 million records
- 2024: Responsible for the mega-breach of Ticketmaster (560 million records)
- 2025: Multiple attacks on luxury retailers in Europe
The group operates primarily through its own leak site and also posts on dark web forums. Their business model combines selling stolen data with extorting affected companies.
How to know if your data was leaked
If you ever purchased from Canada Goose online between 2019 and August 2025, your data could be in this leak. To verify:
- Check Have I Been Pwned (
haveibeenpwned.com): Troy Hunt's site typically indexes these leaks within days - Check your email: Canada Goose should send you a notification if you're affected
- Monitor your cards: Review transactions on cards you used for Canada Goose purchases
What to do if your data was compromised
- Change your password for Canada Goose and any other site where you use the same password
- Enable 2FA (two-factor authentication) on all your important accounts
- Freeze your credit temporarily if your financial data was exposed
- Be suspicious of emails: Leaked data is frequently used for targeted phishing attacks
- Monitor your bank accounts for the next few months
- Consider an identity monitoring service like Norton LifeLock or Identity Guard
The lesson for companies
This incident highlights a critical issue: companies are responsible for their customers' data, even when third parties process it. The data custody chain doesn't end when an external vendor handles payments. Canada Goose chose that vendor and shares responsibility for its security.
For consumers, the lesson is clear: the less personal data you share online, the lower your exposure in the inevitable next breach.
