Tech Made Simple

Hot Topics: All Roku Players Compared | Best iPad Keyboard Cases | The Best Open Ear Earbuds of 2026

We may earn commissions when you buy from links on our site. Why you can trust us.

author photo

Goose Creek breach exposes data on 6.6 million shoppers

by Suzanne Kantra on July 16, 2026

A Goose Creek candle

Goose Creek

A data breach at Goose Creek, the Kentucky-based candle and home fragrance retailer, has exposed personal information belonging to 6.6 million customers, according to Have I Been Pwned, the breach-notification service run by security researcher Troy Hunt.

The exposed data includes email addresses, names, phone numbers, physical addresses, order numbers, and how much each customer has spent with the company, and Have I Been Pwned traced the data to Goose Creek's Shopify store. Passwords and payment card numbers do not appear to be part of what was exposed, based on what has been analyzed so far.

The breach came to light after customers began receiving unsolicited emails in June from an unknown sender claiming Goose Creek had ignored earlier warnings about a security hole in its systems, CyberInsider reports. Those emails included each recipient's own name, address, phone number, and order number as proof the sender had the data, along with a claim that millions of records had been taken.

Goose Creek has not publicly confirmed the breach or published a security advisory of its own.

Have I Been Pwned found that 84 percent of the exposed email addresses were already in its database from earlier, unrelated breaches. The physical addresses, phone numbers, and order histories in this breach were not previously exposed in bulk and are precise enough to make a phishing email or text referencing a real Goose Creek order appear convincing.

Anyone who has ordered from Goose Creek can check whether their email address was included by searching it at haveibeenpwned.com. Because names, addresses, and order details are exposed, treat any email or text that references a Goose Creek order, even an accurate one, with suspicion. A legitimate follow-up from Goose Creek won't ask for a password, payment information, or a one-time code.

Read next: How to tell if an email has been spoofed


Topics

News, Computer Safety & Support, Blog, Privacy


Discussion loading

Home | About | Meet the Team | Contact Us
Media Kit | Newsletter Sponsorships | Licensing & Permissions
Accessibility Statement
Terms of Use | Privacy & Cookie Policy

Techlicious participates in affiliate programs, including the Amazon Services LLC Associates Program, which provide a small commission from some, but not all, of the "click-thru to buy" links contained in our articles. These click-thru links are determined after the article has been written, based on price and product availability — the commissions do not impact our choice of recommended product, nor the price you pay. When you use these links, you help support our ongoing editorial mission to provide you with the best product recommendations.

© Techlicious LLC.