Executive Summary

In February 2026, the data extortion group ShinyHunters published a dataset containing over 600,000 customer records associated with the luxury outerwear brand Canada Goose. The dataset, totaling 1.67 GB in JSON format, includes customer names, email addresses, phone numbers, billing and shipping addresses, IP addresses, order histories, partial payment card data (including card brand, last four digits, and in some cases the first six digits/BIN), payment authorization metadata, device and browser information, and order values. No full payment card numbers or unmasked financial data were found in the leak. Both Canada Goose and ShinyHunters state that the breach did not occur in Canada Goose’s own systems but likely originated from a third-party payment processor, with the dataset’s schema supporting this claim. The exposure of this data presents significant risks for targeted phishing, social engineering, and fraud, particularly given the high-value customer base typical of luxury retail. Canada Goose has confirmed the existence of the dataset, denied a direct breach of its own systems, and is continuing to investigate the scope and accuracy of the leaked information. All claims in this summary are corroborated by three independent sources, including official company statements and technical analysis (BleepingComputer, Feb 15, 2026, inkl/TechRadar, Feb 2026, News4hackers, Feb 16, 2026).

Technical Information

The incident centers on the public release of a 1.67 GB dataset by the data extortion group ShinyHunters. The dataset, which was published in JSON format, contains over 600,000 records of Canada Goose customers. The data includes personally identifiable information (PII) such as customer names, email addresses, phone numbers, billing and shipping addresses, and IP addresses. In addition, the dataset contains detailed order histories, device and browser information, and order values, which could be used to profile high-value customers.

Partial payment card information is present in the dataset, including the card brand, the last four digits of card numbers, and in some cases the first six digits (Bank Identification Number, or BIN). Payment authorization metadata is also included. Importantly, there is no evidence that full payment card numbers or unmasked financial data were exposed, a fact confirmed by Canada Goose in official statements (BleepingComputer, Feb 15, 2026, inkl/TechRadar, Feb 2026, News4hackers, Feb 16, 2026).

The structure of the leaked dataset, including field names such as checkout_id, shipping_lines, cart_token, and cancel_reason, closely matches e-commerce checkout exports typically associated with hosted storefront and payment processing platforms. This technical detail supports the assertion that the breach originated from a third-party payment processor rather than from Canada Goose’s own infrastructure.

ShinyHunters is a well-documented data extortion group known for targeting e-commerce platforms, SaaS services, and cloud environments. Their tactics, techniques, and procedures (TTPs) include social engineering, vishing (voice phishing), and credential theft to gain access to corporate accounts and backend data repositories. In this case, ShinyHunters explicitly denied that the dataset was related to their recent single sign-on (SSO) or cloud environment attacks, instead claiming the data was obtained from a third-party payment processor breach in August 2025. This claim is supported by the dataset’s schema but has not been independently verified by external parties (BleepingComputer, Feb 15, 2026).

No specific malware or exploit tools have been identified in connection with this incident. The attack appears to have involved data exfiltration from a third-party service, likely through compromised credentials or unauthorized access, rather than through the deployment of malware.

The risks associated with this data exposure are significant. The combination of PII, partial payment card data, and order histories enables attackers to conduct highly targeted phishing and social engineering campaigns. In the context of luxury retail, where customers are often high-net-worth individuals, the potential for financial fraud and reputational damage is elevated. The incident underscores the critical importance of third-party risk management and continuous monitoring of vendor security practices.

Mapping the attack to the MITRE ATT&CK framework, the likely techniques involved include Valid Accounts (T1078) for initial access, Data from Information Repositories (T1213) for collection, Exfiltration Over Web Service (T1567) for data exfiltration, and Data Leak (T1537) and Extortion (T1657) for impact and post-exfiltration activities. The confidence level for these mappings is high for collection, impact, and extortion, and medium for initial access and exfiltration, based on available evidence and established threat actor patterns.

Affected Versions & Timeline

The dataset published by ShinyHunters relates to customer transactions processed up to August 2025, with the breach itself attributed to a third-party payment processor during that period. Canada Goose became aware of the leak in February 2026, when the dataset was published online and subsequently began an internal review to assess the accuracy and scope of the exposed data. The company has stated that, as of the time of reporting, there is no evidence of a breach of its own systems and no indication that full payment card data was involved (BleepingComputer, Feb 15, 2026, inkl/TechRadar, Feb 2026, News4hackers, Feb 16, 2026).

The affected data set includes records of customers who made purchases through Canada Goose’s e-commerce platform and whose transactions were processed by the third-party payment processor in question. The exact number of affected individuals is estimated at over 600,000, based on the size and content of the leaked dataset.

Threat Activity

ShinyHunters is a prolific data extortion group with a history of targeting organizations in the e-commerce, SaaS, and cloud services sectors. Their activities typically involve the theft of large volumes of customer data, which is then used for extortion, sold on underground forums, or published on public leak sites if ransom demands are not met. The group’s tactics include social engineering, vishing, and exploitation of weak authentication mechanisms to gain unauthorized access to sensitive data repositories.

In this incident, ShinyHunters claimed responsibility for the leak and published the dataset on their data leak site. The group stated that the data was obtained from a third-party payment processor breach in August 2025 and denied any connection to recent SSO or cloud environment attacks. The dataset’s schema and content support the claim that the data originated from a third-party service provider rather than from Canada Goose’s own systems.

The exposure of detailed customer information, including partial payment card data and order histories, enables attackers to craft highly targeted phishing and social engineering campaigns. Such campaigns could be used to compromise customer accounts, facilitate wire fraud, or conduct other forms of financial crime. The luxury retail sector is particularly vulnerable to these risks due to the high value of customer profiles and the potential for reputational damage.

Mitigation & Workarounds

The following mitigation steps are prioritized by severity:

Critical: Organizations should immediately review and enhance third-party risk management (TPRM) processes, with a focus on payment processors and other vendors handling sensitive customer data. This includes conducting thorough security assessments, requiring regular security attestations, and ensuring contractual obligations for breach notification and incident response.

High: Customers whose data may have been exposed should be notified promptly, with clear guidance on recognizing and reporting phishing and social engineering attempts. Enhanced monitoring for fraudulent activity on affected accounts should be implemented, and customers should be advised to monitor their financial statements for suspicious transactions.

High: Implement multi-factor authentication (MFA) and strong access controls for all third-party integrations, especially those involving payment processing and customer data storage. Regularly audit access logs and monitor for anomalous activity.

Medium: Conduct a comprehensive review of all data flows between the organization and third-party vendors to identify and remediate any unnecessary data sharing or retention. Ensure that only the minimum necessary data is shared with vendors and that data is securely deleted when no longer required.

Medium: Provide ongoing security awareness training for employees and customers, emphasizing the risks of phishing, vishing, and other social engineering tactics commonly used by groups like ShinyHunters.

Low: Review and update incident response plans to ensure they include procedures for responding to third-party breaches, including communication protocols and coordination with affected vendors.

References

https://www.bleepingcomputer.com/news/security/canada-goose-investigating-as-hackers-leak-600k-customer-records/ https://www.inkl.com/news/canada-goose-confirms-data-leak-around-600-000-customers-thought-to-be-affected http://www.news4hackers.com/canada-goose-hit-by-data-breach-600000-customer-records-exposed-to-hackers/

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with vendors and service providers. Our platform enables continuous monitoring of vendor security posture, supports evidence-based risk assessments, and facilitates rapid response to third-party incidents. For questions or further information, contact us at ops@rescana.com.