Full Report
In June 2026, a party claiming to have access to data from Goose Creek Candle Company sent emails to a number of the company's customers, claiming the company had a security vulnerability and suffered a data breach. The data was subsequently sent to Have I Been Pwned and contained 6.6M unique email addresses along with names, phone numbers, physical addresses, order IDs and total spent. The data appears to have been obtained from the company's Shopify instance. Goose Creek is aware of the reports but was unable to provide Have I Been Pwned with any further information at the time of publication.
Analysis Summary
# Incident Report: Goose Creek Candle Company Data Breach
## Executive Summary
In June 2026, Goose Creek Candle Company suffered a significant data breach affecting approximately 6.6 million customers. An unauthorized party gained access to the company’s Shopify instance, exfiltrating personal identifiable information (PII) and transaction history, which was later disclosed to the public and the "Have I Been Pwned" (HIBP) notification service.
## Incident Details
- **Discovery Date:** June 2026 (via customer notification)
- **Incident Date:** June 2026
- **Affected Organization:** Goose Creek Candle Company
- **Sector:** Retail / E-commerce
- **Geography:** United States / Global
## Timeline of Events
### Initial Access
- **Date/Time:** June 2026 (Specific time not disclosed)
- **Vector:** Exploitation of a security vulnerability within the company's Shopify instance.
- **Details:** The threat actor identified a vulnerability that allowed unauthorized access to back-end customer records.
### Lateral Movement
- **Details:** Data suggests direct access to the Shopify database or API; no specific internal lateral movement within Goose Creek’s corporate network was cited.
### Data Exfiltration/Impact
- **Details:** The attacker exfiltrated a dataset containing 6,654,589 unique records. The data included email addresses, full names, phone numbers, physical addresses, order IDs, and total spend amounts.
### Detection & Response
- **Discovery:** The incident came to light when the threat actor sent mass emails to Goose Creek customers claiming a breach had occurred.
- **Response actions taken:** The data was shared with Have I Been Pwned on July 15, 2026. Goose Creek acknowledged the reports but has not yet provided a detailed technical post-mortem.
## Attack Methodology
- **Initial Access:** Exploitation of e-commerce platform (Shopify) vulnerability.
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Likely bypass of authentication or exploitation of an unsecured API.
- **Discovery:** Reconnaissance of the Shopify environment.
- **Lateral Movement:** N/A (Cloud-based data theft).
- **Collection:** Automated harvesting of customer databases including PII and purchase history.
- **Exfiltration:** Transfer of 6.6M records to external attacker-controlled infrastructure.
- **Impact:** Massive data leak and public reputational damage via direct customer contact by the attacker.
## Impact Assessment
- **Financial:** Potential for regulatory fines (GDPR/CCPA) and loss of customer lifetime value.
- **Data Breach:** Exposure of 6.6M unique customer records.
- **Operational:** Disruption to marketing and customer service channels due to influx of breach inquiries.
- **Reputational:** High; the attacker directly emailed customers before the company issued an official notification.
## Indicators of Compromise
- **Network indicators:** N/A (Cloud environment breach).
- **File indicators:** Dataset containing 6.6M records shared with HIBP.
- **Behavioral indicators:** Unauthorized API calls or bulk export logs within the Shopify admin console.
## Response Actions
- **Containment measures:** Investigation into the Shopify instance security settings.
- **Eradication steps:** Pending (Organization was unable to provide full details at the time of publication).
- **Recovery actions:** Listing the breach on HIBP to allow users to verify if their data was compromised.
## Lessons Learned
- **Third-Party Risk:** E-commerce platforms like Shopify require rigorous security configurations and monitoring.
- **Communication Gap:** The attacker gained the initiative by contacting customers first, highlighting a failure in early breach detection.
- **Data Minimization:** Storing excessive customer purchase history increases the impact magnitude of a breach.
## Recommendations
- **Audit Shopify Permissions:** Review and restrict access to Shopify Apps and API keys using the principle of least privilege.
- **Enable MFA:** Ensure Multi-Factor Authentication is enforced for all staff accounts with access to the store backend.
- **Implement Monitoring:** Deploy real-time alerting for bulk data exports or unusual administrative activity.
- **Formalize Incident Response:** Establish a clear protocol for rapid customer communication to maintain trust during a security event.