ShinyHunters, a well-known data extortion group, claims to have stolen more than 600,000 Canada Goose customer records containing personal and payment-related data.

Canada Goose told BleepingComputer the dataset appears to relate to past customer transactions and that it has not found evidence of a breach of its own systems.

Founded in 1957, Canada Goose is a Toronto-based performance luxury outerwear brand with a global retail footprint and nearly 4,000 employees.

Canada Goose sees no evidence of breach

"Canada Goose is aware that a historical dataset relating to past customer transactions has recently been published online," the company told BleepingComputer.

"At this time, we have no indication of any breach of our own systems. We are currently reviewing the newly released dataset to assess its accuracy and scope and will take any further steps as may be appropriate. To be clear, our review shows no evidence that unmasked financial data was involved. Canada Goose remains committed to protecting customer information."

1.67 GB dataset contains detailed order records

ShinyHunters added Canada Goose to its data leak site this week, claiming the archive contains more than 600,000 customer records.

Samples reviewed by BleepingComputer show that the 1.67 GB dataset, released in JSON format, contains detailed e-commerce order records, including customer names, email addresses, phone numbers, billing and shipping addresses, IP addresses, and order histories.

The data also includes partial payment card information such as card brand, the last four digits of card numbers, and in some cases the first six digits (BIN), along with payment authorization metadata.

While the dataset does not appear to contain full payment card numbers, the exposed information could still be used for targeted phishing, social engineering, and fraud.

The records also include purchase history, device and browser information, and order values, potentially allowing attackers to profile high-value customers.

Hackers deny link to recent SSO attacks

ShinyHunters has recently been linked to a wave of social-engineering attacks targeting single sign-on (SSO) accounts and cloud environments.

When asked whether the Canada Goose data was obtained through those intrusions, the group told BleepingComputer the dataset was unrelated, claiming it originated from a third-party payment processor breach and dates back to August 2025.

BleepingComputer has not independently verified the claim.

The dataset's schema (specifically, field names like checkout_id, shipping_lines, cart_token, cancel_reason, etc.), however, closely resembles e-commerce checkout exports commonly associated with hosted storefront and payment processing platforms, which may help explain how the data could have originated from a third-party service provider.

Who is ShinyHunters?

ShinyHunters is a prolific data extortion group known for stealing and leaking large volumes of customer data from major brands and online services.

The group has been linked to numerous high-profile breaches and data theft incidents in recent years, often targeting e-commerce platforms, SaaS services, and cloud environments.

In recent reporting, security researchers have tied the group to vishing and social-engineering campaigns used to gain access to corporate accounts and cloud data.

Stolen data is typically used for extortion, sold on underground forums, or published on the group's leak site when victims refuse to pay.

It is not yet known how many Canada Goose customers may be affected or whether individuals will be notified. The company says it is continuing to review the dataset to determine its accuracy and scope.