Have I Been Pwned has indexed about 6.6 million unique email addresses tied to Goose Creek Candle Company after a June 2026 incident in which a party emailed customers alleging a security vulnerability and breach. The dataset also includes names, phone numbers, physical addresses, order IDs, and total spent, and appears to have come from the company’s Shopify instance. Goose Creek was aware of the reports but could not give HIBP further detail at publication.

What Happened
| When | What |
|---|---|
| Jun 2026 | A party emails Goose Creek customers claiming a vulnerability / breach and includes personal order details to “prove” access (HIBP; Cyberinsider) |
| Jun 2026 | Same dataset subsequently provided to Have I Been Pwned |
| 15 Jul 2026 | HIBP adds Goose Creek (~6.6M accounts) and notifies affected addresses |
| Field in the dump | Why it still hurts |
|---|---|
| Email addresses (~6.6M unique) | Direct list for spoofed “Goose Creek order / breach / refund” mail |
| Names + phone numbers | Personalized SMS and voice social engineering |
| Physical addresses | Package-theft / “delivery problem” lures that cite a real street |
| Order IDs + total spent | Fake support and loyalty scams that sound like real purchase history |
Cyberinsider reported that many of the June emails urged recipients to contact management instead of customer support, and that ~84% of the emails were already in HIBP from earlier breaches — so password reuse remains a separate, ongoing risk even when Shopify login secrets are not in this dump.
HIBP’s compromised-data tags list email addresses, names, phone numbers, physical addresses, and purchases. There is no HIBP indication in the published summary that passwords or payment card PANs were part of this release — but identity + order context is enough for convincing fraud.

Why Shopify Customer Exports Fuel Scams
| Threat | What customers should expect |
|---|---|
| Brand spoofing | Lookalike “Goose Creek security / order / shipping” senders |
| Credential harvesting | Fake Shopify / store login pages that steal reused passwords |
| Refund / gift-card scams | Callers who recite a real order ID and spend amount |
| SMS / phone follow-ups | Texts that cite the leaked phone + address pair |
Merchants on Shopify still own the customer PII in their store — platform infrastructure does not remove the need for access control, staff phishing resistance, and DMARC hardening on the brand domains customers trust.
Independent Cybersecurity Audit
We scored Goose Creek brand domains plus Shopify and HIBP on July 15, 2026. Authority: audit.emailmenow.com only. 100% is the ideal. Sorted highest → lowest.
| Domain | Overall | Identity | Transport | Website | Level |
|---|---|---|---|---|---|
| haveibeenpwned.com | 88% | 90% | 45% | 100% | Strong |
| shopify.com | 55% | 65% | 15% | 45% | Average |
| goosecreekcandle.com | 53% | 25% | 15% | 87% | Average |
| goosecreek.com | 51% | 10% | 15% | 87% | Average |
| Finding | Detail |
|---|---|
| Ideal score | 0 of 4 hit 100% overall |
| Soft brand identity | goosecreekcandle.com Identity 25% / goosecreek.com 10% — weak spoof resistance right when customers expect “breach” mail |
| Soft transport | 15% Transport on Goose Creek and Shopify hosts in this pass |
| Strongest here | haveibeenpwned.com at 88% with Website 100% |
| Phishing implication | Soft Identity on the candle brand domains makes forged “we found a vulnerability / confirm your order” messages easier to trust |

Audit links: goosecreekcandle.com · goosecreek.com · shopify.com · haveibeenpwned.com
Website stack note
Passive website-tech probes on July 15, 2026 covered all four domains (4 probed, 0 notable). No outdated CMS / PHP / short-horizon TLS alerts stood out. Consumer risk in this story is still leaked identity + order context enabling phishing, not a public WordPress-core headline on these marketing domains.
What Texas Shoppers and Shopify Merchants Should Do
| Audience | Action |
|---|---|
| Goose Creek / similar shoppers | Check Have I Been Pwned; treat unexpected “breach / order / refund” mail as hostile until verified in-app or via a known phone number |
| Password reuse | Change passwords shared with any Shopify store accounts; enable MFA |
| Families | Ignore texts that recite your address or order ID out of the blue |
| Shopify merchants | Lock down staff accounts, review apps with customer-export access, enforce DMARC p=reject, and aim for audit 100% on brand domains |
| Domain owners | Soft Identity (like Goose Creek’s 10–25%) is exactly what attackers abuse after email dumps |
Related Coverage
- Under Armour 72M email leak
- Safe credit card processing: tokens & skimmers
- FBI IC3 cyber alerts
- All cyber alerts
Sources: Have I Been Pwned — Goose Creek (added 15 Jul 2026; breach dated June 2026); Cyberinsider. Independent EmailMeNow domain audits July 15, 2026. Domain scores: audit.emailmenow.com only. Stack notes: website-tech. This is not legal advice.