Back to news
Cybersecurity Alert
July 15, 2026 by EmailMeNow IT Consulting

Goose Creek Candle Data in HIBP After 6.6M Shopify Customer Records Surface

Have I Been Pwned indexed ~6.6M Goose Creek Candle emails after June 2026 customer outreach alleged a Shopify-related leak. Names, phones, addresses, order IDs, and spend exposed — phishing risk remains. Audits: goosecreekcandle.com 53%, goosecreek.com 51% — none at the 100% ideal.

Source: Have I Been Pwned

NewsData BreachPhishingShopifyCybersecurity
Illustration of a retail candle brand customer email and order data leak risk

Have I Been Pwned has indexed about 6.6 million unique email addresses tied to Goose Creek Candle Company after a June 2026 incident in which a party emailed customers alleging a security vulnerability and breach. The dataset also includes names, phone numbers, physical addresses, order IDs, and total spent, and appears to have come from the company’s Shopify instance. Goose Creek was aware of the reports but could not give HIBP further detail at publication.

Illustration of a retail candle brand customer email and order data leak risk

What Happened

WhenWhat
Jun 2026A party emails Goose Creek customers claiming a vulnerability / breach and includes personal order details to “prove” access (HIBP; Cyberinsider)
Jun 2026Same dataset subsequently provided to Have I Been Pwned
15 Jul 2026HIBP adds Goose Creek (~6.6M accounts) and notifies affected addresses
Field in the dumpWhy it still hurts
Email addresses (~6.6M unique)Direct list for spoofed “Goose Creek order / breach / refund” mail
Names + phone numbersPersonalized SMS and voice social engineering
Physical addressesPackage-theft / “delivery problem” lures that cite a real street
Order IDs + total spentFake support and loyalty scams that sound like real purchase history

Cyberinsider reported that many of the June emails urged recipients to contact management instead of customer support, and that ~84% of the emails were already in HIBP from earlier breaches — so password reuse remains a separate, ongoing risk even when Shopify login secrets are not in this dump.

HIBP’s compromised-data tags list email addresses, names, phone numbers, physical addresses, and purchases. There is no HIBP indication in the published summary that passwords or payment card PANs were part of this release — but identity + order context is enough for convincing fraud.

Illustration of fake order-update and security messages after a retail data leak

Why Shopify Customer Exports Fuel Scams

ThreatWhat customers should expect
Brand spoofingLookalike “Goose Creek security / order / shipping” senders
Credential harvestingFake Shopify / store login pages that steal reused passwords
Refund / gift-card scamsCallers who recite a real order ID and spend amount
SMS / phone follow-upsTexts that cite the leaked phone + address pair

Merchants on Shopify still own the customer PII in their store — platform infrastructure does not remove the need for access control, staff phishing resistance, and DMARC hardening on the brand domains customers trust.

Independent Cybersecurity Audit

We scored Goose Creek brand domains plus Shopify and HIBP on July 15, 2026. Authority: audit.emailmenow.com only. 100% is the ideal. Sorted highest → lowest.

DomainOverallIdentityTransportWebsiteLevel
haveibeenpwned.com88%90%45%100%Strong
shopify.com55%65%15%45%Average
goosecreekcandle.com53%25%15%87%Average
goosecreek.com51%10%15%87%Average
FindingDetail
Ideal score0 of 4 hit 100% overall
Soft brand identitygoosecreekcandle.com Identity 25% / goosecreek.com 10% — weak spoof resistance right when customers expect “breach” mail
Soft transport15% Transport on Goose Creek and Shopify hosts in this pass
Strongest herehaveibeenpwned.com at 88% with Website 100%
Phishing implicationSoft Identity on the candle brand domains makes forged “we found a vulnerability / confirm your order” messages easier to trust

Bar chart of EmailMeNow audit scores for haveibeenpwned.com, shopify.com, goosecreekcandle.com, and goosecreek.com — 100% ideal

Audit links: goosecreekcandle.com · goosecreek.com · shopify.com · haveibeenpwned.com

Website stack note

Passive website-tech probes on July 15, 2026 covered all four domains (4 probed, 0 notable). No outdated CMS / PHP / short-horizon TLS alerts stood out. Consumer risk in this story is still leaked identity + order context enabling phishing, not a public WordPress-core headline on these marketing domains.

What Texas Shoppers and Shopify Merchants Should Do

AudienceAction
Goose Creek / similar shoppersCheck Have I Been Pwned; treat unexpected “breach / order / refund” mail as hostile until verified in-app or via a known phone number
Password reuseChange passwords shared with any Shopify store accounts; enable MFA
FamiliesIgnore texts that recite your address or order ID out of the blue
Shopify merchantsLock down staff accounts, review apps with customer-export access, enforce DMARC p=reject, and aim for audit 100% on brand domains
Domain ownersSoft Identity (like Goose Creek’s 10–25%) is exactly what attackers abuse after email dumps

Sources: Have I Been Pwned — Goose Creek (added 15 Jul 2026; breach dated June 2026); Cyberinsider. Independent EmailMeNow domain audits July 15, 2026. Domain scores: audit.emailmenow.com only. Stack notes: website-tech. This is not legal advice.