Goose Creek Data Breach: 6.6M Emails & Addresses Exposed (2026)
In June 2026, a party claiming to have access to data from Goose Creek Candle Company sent emails to a number of the company's customers , claiming the company had a security vulnerability and suffered a data breach. The data was subsequently sent to Have I Been Pwned and contained 6.6M unique email...
Overview
On June 15, 2026, Have I Been Pwned received a data set containing 6,574,121 unique email addresses from a party claiming to have accessed customer data from Goose Creek Candle Company. The alleged attacker sent emails directly to Goose Creek customers, stating they had discovered a security vulnerability and exploited it to exfiltrate the company’s customer database. The exposed records include names, email addresses, phone numbers, physical addresses, order IDs, and total amounts spent. Goose Creek was notified of the breach but, as of publication, has not confirmed the incident or provided additional technical details to affected users.
What Was Exposed
The breach exposes a comprehensive set of personally identifiable information (PII) for every affected customer:
- Email Addresses – Primary account identifiers used for login and communication.
- Names – Full names, which can be combined with other data for targeted phishing.
- Phone Numbers – Mobile and landline numbers, enabling SMS-based scams and vishing attacks.
- Physical Addresses – Home or shipping addresses, raising physical security concerns.
- Order IDs & Total Spent – Purchase history details that attackers can use to craft convincing social engineering messages.
This is not a password breach, but the breadth of personal data creates significant risk for social engineering and identity fraud.
How the Breach Happened
The data appears to have been scraped or extracted from Goose Creek’s Shopify instance. Shopify is a widely used e-commerce platform, and while the platform itself has robust security controls, individual merchant accounts can be compromised through weak credentials, misconfigured third-party apps, or vulnerabilities specific to the merchant’s customizations. The attacker’s claim of a “security vulnerability” suggests either a Shopify API misconfiguration, an exposed admin panel, or a compromised employee account with data export privileges. Goose Creek has not confirmed the root cause, but the direct contact of customers indicates the attacker had access to active customer records, not just a backup file.
Who’s Actually Affected
Every customer who made a purchase on the Goose Creek website and had their data stored in the company’s Shopify instance is potentially affected. This includes both current and former customers, as well as anyone who created an account but may not have completed a purchase. Because the data includes order IDs and total spent, even one-time buyers are impacted. The breach is limited to Goose Creek’s Shopify data; no other platforms or companies are involved.
What to Do Right Now
- Check if you’re affected – Visit Have I Been Pwned and search your email address. If it appears in this breach, you will see a notification.
- Be alert for phishing – Expect emails, texts, or calls that reference your name, order history, or address. Attackers will use the exposed data to make scams more believable. Never click links or download attachments from unsolicited messages.
- Monitor your accounts – Watch for unauthorized orders or changes to your Goose Creek account. While payment card data was not confirmed exposed, attackers may attempt account takeovers using your email and other personal details.
- Consider a credit freeze – Although SSNs were not included, the combination of name, address, and phone number can be used for identity fraud. A credit freeze at the three major bureaus adds a layer of protection.
- Update your Goose Creek password – Even if passwords were not exposed, it’s good practice to change your password for any account that shares the same email. Use a unique, strong password for each site.
Security Insight
This breach highlights a recurring vulnerability in the e-commerce ecosystem: merchants often treat their Shopify instance as a “black box,” relying on the platform’s security while neglecting their own administrative hygiene. The attacker’s ability to email customers directly suggests Goose Creek may not have had multi-factor authentication or adequate access controls on its admin accounts. For companies selling directly to consumers, customer PII is a high-value asset that requires the same security rigor as payment data. Until Goose Creek confirms the incident and discloses the root cause, affected customers should assume their personal information is in the hands of threat actors.
Further Reading
Investigate Breaches Safely with NordVPN
Researching exposed data, paste sites, or threat actor infrastructure? Route your OSINT traffic through a VPN to avoid attribution and keep your investigation IP separate from your corporate network.
Get NordVPN for ResearchAffiliate link — we may earn a commission at no extra cost to you.
Never miss a data breach report
Get real-time security alerts delivered to your preferred platform.
Related Breach Reports
In February 2026, a data breach allegedly containing data relating to Canada Goose customers was published publicly . The data contained 920k records with 582k unique email addresses and included names, phone numbers, IP addresses, physical addresses and partial credit card data, specifically card t...
In July 2026, electronic test and measurement equipment company Fluke was targeted in a ShinyHunters "pay or leak" extortion campaign . The group subsequently published more than 100GB of data allegedly taken from the company. The corpus contained largely corporate contact information, including ove...
In June 2026, Moody Bible Institute was targeted by a ShinyHunters "pay or leak" extortion campaign . Over 2.3M unique email addresses and other personal data were later published publicly, including names, physical addresses, phone numbers, dates of birth and other information relating to donors, s...
In June 2026, the food distribution company Sysco was targeted by a ShinyHunters "pay or leak" extortion campaign . Data was subsequently published containing 2.7M unique email addresses belonging to staff and customers. The data also contained largely corporate contact information including names, ...