Canada Goose is investigating claims by the ShinyHunters extortion group regarding a data breach involving more than 600,000 customer records. The leaked information includes names, contact details, and partial payment card data allegedly stolen from a third-party processor in late 2025.
The high-end outerwear company Canada Goose is currently looking into a significant security incident following claims by the notorious data extortion group ShinyHunters. The group asserts that it has successfully compromised and leaked a dataset totaling 1.67 gigabytes, which reportedly contains the personal information of over 600,000 customers. This collection of data appears to consist of detailed e-commerce records that include customer names, physical addresses, and phone numbers.
Beyond basic contact information, the exposed files contain sensitive financial metadata related to customer orders. This includes the brand of the payment card used, the last four digits of the card number, and occasionally the first six digits, known as the bank identification number. While full credit card numbers do not seem to be part of the leak, the presence of payment authorization details and order histories provides enough context for malicious actors to potentially conduct highly convincing phishing or social engineering campaigns.
ShinyHunters has publicly stated that this specific data set was not obtained through recent social engineering attacks on cloud environments or single sign-on accounts. Instead, the group alleges that the information was harvested during a breach of a third-party payment processing platform that occurred in August 2025. This claim suggests that the vulnerability may not have existed within the brand's own internal infrastructure but rather within its supply chain or service providers.
An analysis of the data structure indicates that the records likely originated from a hosted storefront and payment processing system. This supports the theory of a third-party compromise, though these claims have not yet been independently verified by security researchers or the company itself. The group involved has a well-documented history of targeting major brands and software-as-a-service platforms to steal and leak massive volumes of consumer data.
As the investigation continues, the focus remains on determining the exact source of the leak and the level of risk posed to the affected individuals. The incident highlights the ongoing challenges that luxury brands face in securing customer data across complex e-commerce ecosystems. Customers are generally advised to remain vigilant against suspicious communications that leverage their recent purchase history or partial financial details.
Source: Canada Goose Data Breach Exposes 600,000 Customer Records To Hackers