What happened in the Canada Goose data breach?

In February 2026, a data breach allegedly containing data relating to Canada Goose customers was published publicly . The data contained 920k records with 582k unique email addresses and included names, phone numbers, IP addresses, physical addresses and partial credit card data, specifically card t...

Am I affected by the Canada Goose breach?

If you have an account with Canada Goose, your data may be compromised. Check Have I Been Pwned (haveibeenpwned.com) to verify, and change your passwords immediately.

What should I do if I'm affected by the Canada Goose breach?

Change your Canada Goose password immediately. Enable two-factor authentication. Monitor your accounts for suspicious activity. If financial data was exposed, contact your bank and consider a credit freeze.

Canada Goose Breach: 582K Accounts Exposed

Q: What data was exposed in the Canada Goose breach?

The breach exposed Email Addresses, Names, Phone Numbers, Physical Addresses, Ip Addresses, Credit Cards affecting 581,877 accounts.

Overview

In February 2026, a dataset allegedly containing information on 581,877 Canada Goose customers was published on a public data-sharing platform. The exposed archive contains nearly 920,000 records, including names, email addresses, phone numbers, physical addresses, IP addresses, and partial credit card data. The breach was reported to Have I Been Pwned (HIBP), where affected users can now verify if their credentials are among those leaked. The inclusion of payment card data elevates this beyond a typical credential dump into a high-risk financial exposure for thousands of shoppers.

What Was Exposed

The breach exposed a broad range of personally identifiable information (PII) and sensitive payment data:

Email addresses and names (primary identifiers for account takeovers)
Phone numbers and physical addresses (usable for targeted phishing or identity fraud)
IP addresses (indicate user location and browsing patterns)
Partial credit card data - the first six and last four digits, plus the card type and expiration date

While full credit card numbers were not disclosed, the combination of card metadata with address and phone data can be weaponized in social-engineering attacks. Fraudsters can use these details to impersonate victims or attempt to bypass bank verification questions.

How the Breach Happened

The exact attack vector has not been confirmed by Canada Goose or the source of the leak. The public posting of a structured archive suggests a data exfiltration event - either via an internal system compromise, an exploited vulnerability in the company’s e-commerce platform, or a third-party service provider breach. Retailers handling payment data are frequent targets for ransomware groups and financially motivated criminals because customer databases with card details sell for premium prices on dark-web markets. Given the dataset’s completeness, the attacker likely had sustained access to Canada Goose’s customer relationship management (CRM) or point-of-sale systems before extraction.

Account Takeover Risks

With email addresses and names in the open, attackers can attempt credential-stuffing attacks - using lists of known passwords from other breaches to try logging into Canada Goose accounts. If you reuse passwords across sites, a takeover here could compromise any of your other online accounts. Additionally, the combination of email, address, and phone data makes it easy for scammers to craft convincing phishing messages that reference legitimate purchases, luring victims into revealing more sensitive information.

What to Do Right Now

Check if you’re affected: Visit haveibeenpwned.com and search your primary email address. If your account appears in the Canada Goose breach, proceed immediately.

For credit card security:

Monitor your card statements for unauthorized charges over the next 90 days
Contact your bank to request a replacement card if you used it at Canada Goose since early 2025
Enable transaction alerts via your banking app

For account security:

Change your Canada Goose password immediately to a unique, complex one
Enable multi-factor authentication (MFA) on your account if the option exists
If you reused the same password elsewhere, change those accounts too

For phishing awareness: Do not click links in unsolicited emails claiming to be from Canada Goose. Visit the official site directly by typing the URL into your browser.

Security Insight

This breach reveals a troubling gap in Canada Goose’s payment data handling. Storing partial credit card data alongside full customer profiles increases the blast radius of any single compromise - a practice that contradicts Payment Card Industry Data Security Standard (PCI DSS) guidance to minimize card data retention. Compared to similar incidents at retailers like Panera Bread and Subway in recent years, the inclusion of address, phone, and card metadata is particularly dangerous because it enables targeted fraud that bypasses typical tokenization protections. The most effective lesson here is not just about passwords - it is about how companies like Canada Goose must re-evaluate whether they need to retain sensitive payment data at all, especially when the cost of a breach far outweighs the convenience of faster checkout.

Canada Goose Breach: 582K Accounts Exposed

Overview

What Was Exposed

How the Breach Happened

Account Takeover Risks

What to Do Right Now

Security Insight

Further Reading

Investigate Breaches Safely with NordVPN

Never miss a data breach report

Related Breach Reports

Overview

What Was Exposed

How the Breach Happened

Account Takeover Risks

What to Do Right Now

Security Insight

Further Reading

Investigate Breaches Safely with NordVPN

Never miss a data breach report

Related Breach Reports

Never Miss a Critical Alert