High

Goose Creek Data Breach: 6.6M Emails & Addresses Exposed (2026)

In June 2026, a party claiming to have access to data from Goose Creek Candle Company sent emails to a number of the company's customers , claiming the company had a security vulnerability and suffered a data breach. The data was subsequently sent to Have I Been Pwned and contained 6.6M unique email...

Overview

On June 15, 2026, Have I Been Pwned received a data set containing 6,574,121 unique email addresses from a party claiming to have accessed customer data from Goose Creek Candle Company. The alleged attacker sent emails directly to Goose Creek customers, stating they had discovered a security vulnerability and exploited it to exfiltrate the company’s customer database. The exposed records include names, email addresses, phone numbers, physical addresses, order IDs, and total amounts spent. Goose Creek was notified of the breach but, as of publication, has not confirmed the incident or provided additional technical details to affected users.

What Was Exposed

The breach exposes a comprehensive set of personally identifiable information (PII) for every affected customer:

  • Email Addresses – Primary account identifiers used for login and communication.
  • Names – Full names, which can be combined with other data for targeted phishing.
  • Phone Numbers – Mobile and landline numbers, enabling SMS-based scams and vishing attacks.
  • Physical Addresses – Home or shipping addresses, raising physical security concerns.
  • Order IDs & Total Spent – Purchase history details that attackers can use to craft convincing social engineering messages.

This is not a password breach, but the breadth of personal data creates significant risk for social engineering and identity fraud.

How the Breach Happened

The data appears to have been scraped or extracted from Goose Creek’s Shopify instance. Shopify is a widely used e-commerce platform, and while the platform itself has robust security controls, individual merchant accounts can be compromised through weak credentials, misconfigured third-party apps, or vulnerabilities specific to the merchant’s customizations. The attacker’s claim of a “security vulnerability” suggests either a Shopify API misconfiguration, an exposed admin panel, or a compromised employee account with data export privileges. Goose Creek has not confirmed the root cause, but the direct contact of customers indicates the attacker had access to active customer records, not just a backup file.

Who’s Actually Affected

Every customer who made a purchase on the Goose Creek website and had their data stored in the company’s Shopify instance is potentially affected. This includes both current and former customers, as well as anyone who created an account but may not have completed a purchase. Because the data includes order IDs and total spent, even one-time buyers are impacted. The breach is limited to Goose Creek’s Shopify data; no other platforms or companies are involved.

What to Do Right Now

  • Check if you’re affected – Visit Have I Been Pwned and search your email address. If it appears in this breach, you will see a notification.
  • Be alert for phishing – Expect emails, texts, or calls that reference your name, order history, or address. Attackers will use the exposed data to make scams more believable. Never click links or download attachments from unsolicited messages.
  • Monitor your accounts – Watch for unauthorized orders or changes to your Goose Creek account. While payment card data was not confirmed exposed, attackers may attempt account takeovers using your email and other personal details.
  • Consider a credit freeze – Although SSNs were not included, the combination of name, address, and phone number can be used for identity fraud. A credit freeze at the three major bureaus adds a layer of protection.
  • Update your Goose Creek password – Even if passwords were not exposed, it’s good practice to change your password for any account that shares the same email. Use a unique, strong password for each site.

Security Insight

This breach highlights a recurring vulnerability in the e-commerce ecosystem: merchants often treat their Shopify instance as a “black box,” relying on the platform’s security while neglecting their own administrative hygiene. The attacker’s ability to email customers directly suggests Goose Creek may not have had multi-factor authentication or adequate access controls on its admin accounts. For companies selling directly to consumers, customer PII is a high-value asset that requires the same security rigor as payment data. Until Goose Creek confirms the incident and discloses the root cause, affected customers should assume their personal information is in the hands of threat actors.

Further Reading

Investigate Breaches Safely with NordVPN

Researching exposed data, paste sites, or threat actor infrastructure? Route your OSINT traffic through a VPN to avoid attribution and keep your investigation IP separate from your corporate network.

Get NordVPN for Research

Affiliate link — we may earn a commission at no extra cost to you.

Share:

Never miss a data breach report

Get real-time security alerts delivered to your preferred platform.

Related Breach Reports

Never Miss a Critical Alert

CVE advisories, breach reports, and threat intel — delivered daily to your inbox.