Canada Goose Data Breach Added to Have I Been Pwned, 581,000+ Accounts Exposed

By Ash K
Canada Goose Data Breach Added to Have I Been Pwned, 581,000+ Accounts Exposed

Customer data linked to luxury outerwear brand Canada Goose has now been added to the breach notification service Have I Been Pwned (HIBP), bringing fresh visibility to an incident that reportedly exposed hundreds of thousands of customer records.

According to breach indexing data, approximately 581,900 accounts have been catalogued in the incident, which relates to customer transaction data believed to have originated from a third-party compromise in 2025. The breach entry was added to HIBP on February 17, 2026.

The inclusion in HIBP allows affected individuals to verify whether their email address appears in the dataset and assess potential downstream risk.

What the Breach Data Contains

Analysis of the exposed dataset indicates that the compromised information includes names, email addresses, phone numbers, physical mailing addresses, IP addresses, device information, and purchase-related records.

Partial payment card details were also reportedly present, including card type and the last four digits. While full credit card numbers were not disclosed, the combination of personal identifiers significantly increases identity fraud and targeted social engineering risk.

The most recent transaction dates within the exposed dataset reportedly extend through July 2025, suggesting the records relate to historical customer activity rather than a live transactional breach.

Third-Party Origin and Timeline

Canada Goose previously indicated that the exposed data appeared to originate from a breach at a third-party service provider in August 2025, rather than a direct compromise of its own core infrastructure.

Third-party exposure remains a recurring theme in retail and luxury brand incidents, where marketing platforms, CRM systems, or transaction processors often store large volumes of customer data.

While the exact number of affected individuals was not immediately disclosed by the company at the time of discovery, the HIBP listing provides clearer scope based on unique email addresses indexed in the breach corpus.

Implications for Customers

The exposure of personal identifiers combined with purchase history creates elevated risk for spear-phishing, vishing, and impersonation scams. Attackers frequently use transaction details to craft highly convincing fraud attempts.

Even partial card data can assist threat actors in bypassing weak verification checks during customer support calls or payment disputes.

Security experts advise affected customers to monitor financial statements, enable multifactor authentication on retail and financial accounts, and remain cautious of unsolicited calls referencing past purchases.

HIBP’s Role in Breach Transparency

Have I Been Pwned serves as one of the most widely used public breach notification platforms, allowing individuals and organizations to search whether email addresses appear in known data leaks.

The addition of the Canada Goose dataset to HIBP formalizes the breach within global breach intelligence tracking systems and enables automated enterprise monitoring for exposed corporate addresses.

The incident reinforces an ongoing pattern in retail cybersecurity: customer data stored across interconnected service providers often becomes the weakest link in otherwise well-defended ecosystems.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.