Goose Creek
A data breach at Goose Creek, the Kentucky-based candle and home fragrance retailer, has exposed personal information belonging to 6.6 million customers, according to Have I Been Pwned, the breach-notification service run by security researcher Troy Hunt.
The exposed data includes email addresses, names, phone numbers, physical addresses, order numbers, and how much each customer has spent with the company, and Have I Been Pwned traced the data to Goose Creek's Shopify store. Passwords and payment card numbers do not appear to be part of what was exposed, based on what has been analyzed so far.
The breach came to light after customers began receiving unsolicited emails in June from an unknown sender claiming Goose Creek had ignored earlier warnings about a security hole in its systems, CyberInsider reports. Those emails included each recipient's own name, address, phone number, and order number as proof the sender had the data, along with a claim that millions of records had been taken.
Goose Creek has not publicly confirmed the breach or published a security advisory of its own.
Have I Been Pwned found that 84 percent of the exposed email addresses were already in its database from earlier, unrelated breaches. The physical addresses, phone numbers, and order histories in this breach were not previously exposed in bulk and are precise enough to make a phishing email or text referencing a real Goose Creek order appear convincing.
Anyone who has ordered from Goose Creek can check whether their email address was included by searching it at haveibeenpwned.com. Because names, addresses, and order details are exposed, treat any email or text that references a Goose Creek order, even an accurate one, with suspicion. A legitimate follow-up from Goose Creek won't ask for a password, payment information, or a one-time code.
Read next: How to tell if an email has been spoofed