Canadian luxury outerwear brand Canada Goose has confirmed that a dataset published by the ShinyHunters extortion crew on February 14, 2026 contains genuine customer information, but maintains the records stem from an older compromise rather than a fresh intrusion. The leaked archive, advertised as containing more than 600,000 records, includes names, contact details, partial payment information, and order histories tied to past purchases across North America and Europe.

What Happened

On February 14, 2026, ShinyHunters listed Canada Goose on their newly stood-up data leak site, offering a JSON archive of 600,000+ customer records for download. The Register reviewed samples and confirmed the advertised contents broadly match what is in the file.

Canada Goose responded by acknowledging that a "historical dataset relating to past customer transactions has recently been published online," but stated it has "no indication of any breach of our own systems" and is reviewing the dataset to assess accuracy and scope. The company declined to specify the age of the data or the original source of the compromise. Notably, Canada Goose stressed that "no evidence that unmasked financial data was involved" surfaced in its review.

What Was Taken

The leaked dataset contains the following data classes per ShinyHunters' advertisement and The Register's spot-check of the JSON file:

• Full names and standard personally identifiable information (PII)
• Contact details
• Delivery addresses
• Order details, including item pricing
• Partial payment and financial information (Canada Goose disputes that any unmasked card data is present)

Affected individuals appear to be concentrated in North America and Europe, consistent with Canada Goose's primary retail footprint. The total record count exceeds 600,000.

Why It Matters

Even when leaked records are years old, the harm is far from theoretical. Names, addresses, order histories, and partial card data form an ideal toolkit for highly targeted phishing, package interception, refund fraud, and account takeover attempts against customers who likely still hold the same email addresses and shipping locations. Luxury-goods buyers in particular are attractive social engineering targets because their purchase history signals disposable income and deliverable high-value goods.

The incident also continues a pattern in which ShinyHunters re-monetizes legacy datasets via their new dedicated leak site, blurring the line between fresh intrusions and recycled data. For defenders, "old breach" is not a synonym for "low risk," especially when the brand's customers have no way of knowing the data is in circulation again.

The Attack Technique

Canada Goose has not disclosed how the data was originally obtained, when the compromise occurred, or whether a third-party processor was involved. ShinyHunters has not publicly tied the dump to any specific intrusion vector in this case.

Context from ShinyHunters' broader 2026 campaign is instructive, however. The group has aggressively used voice phishing (vishing) against Okta-protected SaaS tenants to harvest data from Crunchbase, Betterment, Canva, and roughly 100 other organizations. They were also tied in 2025 to mass theft from Salesforce instances and the SalesLoft Drift integration compromise, where attackers pivoted through trusted SaaS connectors to exfiltrate customer data at scale. Whether the Canada Goose dataset originated from a direct ecommerce compromise, a SaaS supply-chain breach, or a long-dormant intrusion remains unconfirmed.

What Organizations Should Do

1. Treat retired customer datasets as live liability. Apply data minimization and retention policies that purge non-essential transactional PII on a defined schedule, and document what is kept and why.
2. Audit SaaS and third-party processor exposure. Inventory which vendors, integrations, and historical processors hold customer order data, and validate their breach notification obligations and current security posture.
3. Harden Okta and SSO against vishing. Enforce phishing-resistant MFA (FIDO2/WebAuthn), restrict help-desk reset workflows, require call-back verification, and alert on anomalous admin role changes.
4. Monitor leak sites and underground forums for brand mentions and customer data, and pre-stage a customer notification and credential-reset playbook so response is not improvised.
5. Warn customers proactively when historical datasets surface, and prompt password resets, payment card reissuance where applicable, and heightened vigilance against shipping and refund scams referencing real past orders.
6. Stress-test incident response for "old breach" scenarios, where attribution, timeline, and notification obligations are murky and PR pressure is high.

Sources: Canada Goose says ShinyHunters only breached old data