The notorious threat group ShinyHunters has claimed responsibility for acquiring over 600,000 customer records from Canada Goose, the Toronto-based luxury outerwear brand known globally for its premium winter jackets. The stolen data, which appeared on a prominent dark web marketplace in February 2026, includes personal information, e-commerce order details, and partial payment card data.
About ShinyHunters
ShinyHunters is a well-known cybercriminal group that has been responsible for some of the largest data breaches in recent years, including attacks against Ticketmaster, AT&T, and numerous other major brands. The group specializes in targeting cloud storage misconfigurations, API vulnerabilities, and third-party integrations to gain access to large customer databases.
Their typical modus operandi involves exfiltrating entire customer databases and either selling them on dark web forums or using them as leverage for extortion against the victimized companies.
What Data Was Exposed
According to samples posted on the dark web listing, the compromised database includes:
- Full names and email addresses of over 600,000 customers
- Physical mailing addresses across North America and Europe
- Order history including product details, quantities, and purchase dates
- Partial payment card data (last four digits, card type, expiration dates)
- Phone numbers for customers who provided them during checkout
- Account creation dates and login history
Impact on Customers
While full payment card numbers do not appear to be included in the breach, the combination of personal information, order history, and partial card data creates significant risk for targeted phishing and social engineering attacks. Threat actors can use purchase history to craft convincing emails impersonating Canada Goose customer service or warranty departments.
The exposure of physical addresses is particularly concerning for customers who purchased high-value items, as this information could potentially be used to identify homes likely to contain expensive goods.
Canada Goose's Response
Canada Goose acknowledged the incident in a statement, confirming they are investigating the claims with the assistance of external cybersecurity experts. The company stated that full payment card numbers and passwords were not compromised, and that they have implemented additional security controls across their e-commerce platform.
Affected customers are being notified and offered complimentary identity monitoring services. The company has also reported the incident to the Office of the Privacy Commissioner of Canada as required under PIPEDA's mandatory breach notification provisions.
PIPEDA Implications
Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), organizations must report breaches of security safeguards involving personal information that pose a real risk of significant harm. This breach clearly meets that threshold, and Canada Goose is obligated to notify both the Privacy Commissioner and all affected individuals.
Organizations found to have failed to comply with PIPEDA's breach notification requirements can face significant penalties, underscoring the importance of having robust incident response and notification procedures in place.
Protecting Your Organization
This breach reinforces the need for retail organizations to prioritize e-commerce security, including regular penetration testing of web applications, secure API design, proper cloud configuration management, and continuous monitoring for unauthorized data access. CyberSafe's offensive security and consulting services help organizations identify and address these vulnerabilities before threat actors can exploit them.