ShinyHunters, a well-known data extortion group, claims to have stolen more than 600,000 Canada Goose customer records containing personal and payment-related data.

Canada Goose told BleepingComputer the dataset appears to relate to past customer transactions and that it has not found evidence of a breach of its own systems.

Founded in 1957, Canada Goose is a Toronto-based performance luxury outerwear brand with a global retail footprint and nearly 4,000 employees.

Canada Goose sees no evidence of breach

“Canada Goose is aware that a historical dataset relating to past customer transactions has recently been published online,” the company told BleepingComputer.

“At this time, we have no indication of any breach of our own systems. We are currently reviewing the newly released dataset to assess its accuracy and scope and will take any further steps as may be appropriate. To be clear, our review shows no evidence that unmasked financial data was involved. Canada Goose remains committed to protecting customer information.”

1.67 GB dataset contains detailed order records

ShinyHunters added Canada Goose to its data leak site this week, claiming the archive contains more than 600,000 customer records.

Samples reviewed by BleepingComputer show that the 1.67 GB dataset, released in JSON format, contains detailed e-commerce order records, including customer names, email addresses, phone numbers, billing and shipping addresses, IP addresses, and order histories.

The data also includes partial payment card information such as card brand, the last four digits of card numbers, and in some cases the first six digits (BIN), along with payment authorization metadata.

While the dataset does not appear to contain full payment card numbers, the exposed information could still be used for targeted phishing, social engineering, and fraud.

The records also include purchase history, device and browser information, and order values, potentially allowing attackers to profile high-value customers.

Hackers deny link to recent SSO attacks

ShinyHunters has recently been linked to a wave of social-engineering attacks targeting single sign-on (SSO) accounts and cloud environments.

When asked whether the Canada Goose data was obtained through those intrusions, the group told BleepingComputer the dataset was unrelated, claiming it originated from a third-party payment processor breach and dates back to August 2025.

BleepingComputer has not independently verified the claim.

The dataset’s schema (specifically, field names like checkout_id, shipping_lines, cart_token, cancel_reason, etc.), however, closely resembles e-commerce checkout exports commonly associated with hosted storefront and payment processing platforms, which may help explain how the data could have originated from a third-party service provider.

Who is ShinyHunters?

ShinyHunters is a prolific data extortion group known for stealing and leaking large volumes of customer data from major brands and online services.

The group has been linked to numerous high-profile breaches and data theft incidents in recent years, often targeting e-commerce platforms, SaaS services, and cloud environments.

In recent reporting, security researchers have tied the group to vishing and social-engineering campaigns used to gain access to corporate accounts and cloud data.

Stolen data is typically used for extortion, sold on underground forums, or published on the group’s leak site when victims refuse to pay.

It is not yet known how many Canada Goose customers may be affected or whether individuals will be notified. The company says it is continuing to review the dataset to determine its accuracy and scope.

Modern IT infrastructure moves faster than manual workflows can handle.

In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.

Get the guide

It probably won’t come as much of a surprise to find that most of the Hackaday staff aren’t exactly what you’d call sports fanatics, so we won’t judge if you didn’t tune in for the Super Bowl last week. But if you did, perhaps you noticed Ring’s Orwellian “Search Party” spot — the company was hoping to get customers excited about a new feature that allows them to upload a picture of their missing pet and have Ring cameras all over the neighborhood search for a visual match. Unfortunately for Ring, the response on social media wasn’t quite what they expected.

One commenter on YouTube summed it up nicely: “This is like the commercial they show at the beginning of a dystopian sci-fi film to quickly show people how bad things have gotten.” You don’t have to be some privacy expert to see how this sort of mass surveillance is a slippery slope. Many were left wondering just who or what the new system would be searching for when it wasn’t busy sniffing out lost pups.

The folks at Wyze were quick to capitalize on the misstep, releasing their own parody ad a few days later that showed various three-letter agencies leaving rave reviews for the new feature. By Thursday, Ring announced they would be canceling a planned expansion that would have given the divisive Flock Safety access to their network of cameras. We’re sure it was just a coincidence.

Speaking of three-letter agencies, the Environmental Protection Agency has announced this week that they will no longer incentivize the inclusion of stop-start systems on new automobiles. The feature, which shuts off the engine when the vehicle comes to a stop, was never actually required by federal law; rather, the EPA previously awarded credits to automakers that added the feature, which would help them meet overall emission standards. Manufacturers are free to continue offering stop-start systems on their cars if they wish, but without the EPA credits, there’s little benefit in doing so. Especially since, as Car and Driver notes, it seems like most manufacturers are happy to be rid of it. The feature has long been controversial with drivers as well, to the point that we’ve seen DIY methods to shut it off.

An incredible story ran in The Washington Post yesterday (free to read archive) that’s so wild that it’s almost hard to believe. In fact, if it wasn’t from The Washington Post, we’d be sure it was some kind of conspiracy theory fanfic. The short version goes like this: a Norwegian researcher who was so confident the “Havana syndrome” wasn’t the result of a directed energy weapon decided to prove it by not only building some sort of pulsed RF device based on leaked classified documents, but  fired the thing at himself as a test. We’re not sure what the Norwegian equivalent to the “Shocked Pikachu Face” meme is, but we’ll give you one guess as to what happened.

If that wasn’t crazy enough, the article goes on to casually mention that the US Department of Homeland Security secretly purchased a similar pulsed-energy weapon for several million dollars on the black market during the Biden administration, and is currently studying it. Despite it apparently containing Russian components, the Feds have yet to determine who actually built the thing. You’ll have a hard time finding a bigger proponent for the free exchange of information than Hackaday, but even we have to admit…maybe there are some things it’s better we don’t know about.

Of course, if you’re looking to really maximize the effects of your black market pulsed-energy weapon, you’ll need to get it up high (maybe, what the hell do we know). Or perhaps you’re just a radio enthusiast. In either event, if you’re within driving distance of Tennessee, you’ll want to keep an eye on this government auction for an 80-foot-tall mobile communications tower. According to the listing posted by the Madisonville Police Department, the towable rig was built in 2016, weighs in at a little over 10,000 pounds, and has been kept in storage. It just needs some air in the tires to get it moving again.

As of this writing, the high bid is just $565, but with 18 days left to go on the auction, we suspect that number will be considerably higher when the gavel drops. We’ll check back next month to see what it sold for, and on the off-chance that any of you actually buy it, please let us know.

If all this talk of mass surveillance and shady government dealings has you down, perhaps a quick game of web-based Descent will lighten the mood. It’s the product of a port to Three.js by [mrdoob], completed with the aid of Claude. We know many of you are critical of AI-produced code, and not without good reason, but the results in this case are pretty slick.

Finally, we’ll go out on a limb and guess that more than a few in the audience are fans of the film Short Circuit, which turns 40 years old this year. In celebration, an event is being planned for June in Astoria, Oregon, where parts of the movie were filmed. As if you needed any other reason to meet Steve Guttenberg, you’ll also get the chance to pose for pictures with Johnny 5 and sit in on Q&A discussions with the cast and crew. There’s even going to be licensed merch for sale, which we can only hope means you’ll be able to buy one of those miniature J5’s from Short Circuit 2. It’s not the sort of event Hackaday generally covers, but we’re certainly tempted.

See something interesting that you think would be a good fit for our weekly Links column? Drop us a line, we’d love to hear about it.

Google has released emergency updates to fix a high-severity Chrome vulnerability exploited in zero-day attacks, marking the first such security flaw patched since the start of the year.

“Google is aware that an exploit for CVE-2026-2441 exists in the wild,” Google said in a security advisory issued on Friday.

According to the Chromium commit history, this use-after-free vulnerability (reported by security researcher Shaheen Fazim) is due to an iterator invalidation bug in CSSFontFeatureValuesMap, Chrome’s implementation of CSS font feature values. Successful exploitation can allow attackers to trigger browser crashes, rendering issues, data corruption, or other undefined behavior.

The commit message also notes that the CVE-2026-2441 patch addresses “the immediate problem” but indicates there’s “remaining work” tracked in bug 483936078, suggesting this might be a temporary fix or that related issues still need to be addressed.

The patch was tagged as “cherry-picked” (or backported) across multiple commits, indicating that it was important enough to include in a stable release rather than waiting for the next major version (likely because the vulnerability is being exploited in the wild).

Although Google found evidence of attackers exploiting this zero-day flaw in the wild, it did not share additional details regarding these incidents.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” it noted.

Google has now fixed this vulnerability for users in the Stable Desktop channel, with new versions rolling out to Windows, macOS (145.0.7632.75/76), and Linux users (144.0.7559.75) worldwide over the coming days or weeks.

If you don’t want to update manually, you can also let Chrome check for updates automatically and install them after the next launch.

While this is the first actively exploited Chrome security vulnerability patched since the start of 2026, last year Google addressed a total of eight zero-days abused in the wild, many of them reported by the company’s Threat Analysis Group (TAG), widely known for tracking and identifying zero-days exploited in spyware attacks targeting high-risk individuals.

Modern IT infrastructure moves faster than manual workflows can handle.

In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.

Get the guide

Pretty much everyone I know is unhappy with their hair in some way. All of my straight-haired friends want curly, and all of my curly-haired friends want straight. I’m so jealous of people who have thick hair, as someone with fine, thin hair that tangles easily.

My hair also grows famously slow. I got a pixie cut in spring of 2011, and my hair did not touch my shoulders until the end of 2013. Plus, because my hair is super thin, when I pull it back, it separates, and you can see my scalp underneath. Because it’s so fine, it tangles and often breaks off, resulting in chronically dry split ends.

Overall, I’m unhappy with my hair and its lack of growth or fullness, so I wanted to see if CurrentBody’s cord-free, Bluetooth-enabled LED Hair Growth Helmet would work for my slew of hair issues. Red-light-therapy devices for hair are similar to red-light therapy masks for your face, using red lights to increase hair growth and promote a healthy scalp. You need to use the device for only 10 minutes a day, and CurrentBody claims you’ll see results within 12 weeks. While my results weren’t super visually dramatic, I noticed my hair feeling thicker while shampooing, and I saw a lot more “baby hairs” spring up on my hairline after about three months of testing.

Splitting Hairs

Photograph: Molly Higgins

Unlike more discreet red-light hair growth devices, like the HigherDose Red Light Hat (see our full review here), CurrentBody’s entry is a full-on helmet, lined with 10 strips of 12 red lights each on a spectrum of 620 to 660 nm (nanometers, the unit of measure for the wavelength of visible light). This works similarly to red-light-therapy face masks, which aim to improve skin conditions and spur new cell growth using red-light therapy in the mid-600-nm range. The 620-nm red light helps to improve scalp health by promoting circulation, and the 660-nm red light goes deeper, reaching through the epidermis and dermis to the hypodermis, where it stimulates growth and repair at the follicle root.

Photograph: Molly Higgins

Red-light wavelengths are clinically proven to energize hair follicles; improve scalp blood flow; reduce inflammation; lower dihydrotestosterone (DHT) levels, a hormone that causes hair loss and thinning; and support production of adenosine triphosphate (ATP), which helps to store and release energy in cells. This wavelength of red light triggers follicles to stay in the hair growth phase by providing oxygen and blood flow to the scalp.

Rinse, Red Light, Repeat

The helmet is FDA-cleared (meaning it’s been determined to be equivalent to a similar, legally marketed device) and is FSA (flexible spending account) or HSA (health spending account) eligible with a letter of medical necessity. It comes in two sizes: medium, for a skull circumference of 21.3 to 23.2 inches, or large, for 23.3 to 25 inches. (I opted for medium, and it was still too large for my head.) The device sits on a base and is charged via a USB-C cord. It takes about three hours to fully charge the helmet, and it lasts about a week on a single charge. (The white light on the side flashes while charging and turns solid white when the battery is full.) The device is powered on by pressing the single button located under the charging port.

Photograph: Molly Higgins

A few years ago, it may have been fashionable to spend $1,000 on the latest flagship smartphone, but for most people, that’s neither practical nor necessary. You don’t even have to spend $500 today to get a decent handset, whether it’s a refurbished iPhone or an affordable Android phone, as there are plenty of decent options as low as $160.

However, navigating the budget phone market can be tricky; options that look good on paper may not be in practice, and some devices will end up costing you more when you consider many come with restrictive storage. While we spend most of our time reviewing mid- to high-end handsets at Engadget, we’ve tested a number of the latest budget-friendly phones on the market to see cut it as the best cheap phones you can get right now.

Best cheap phones

Samsung

Read our full Samsung Galaxy A17 5G review

Advertisement

Building a good budget phone is tricky as manufacturers have a very hard limit on what they can include while staying under cost. Samsung has balanced this nicely on the Galaxy A17 5G by equipping it with a large 6.7-inch OLED display with solid brightness (up to 800 nits) and a 90Hz refresh rate. The phone’s design also defies its price because while it is made from polycarbonate (aka plastic), it doesn’t feel cheap. You even get a microSD card slot for expandable storage and three cameras in back. However, since one of those is a 2MP macro, it probably won’t see nearly as much use as the 50MP main or 5MP ultra-wide.

The one thing I wish Samsung splurged a bit more on is the phone’s Exynos 1330 chip, as it’s a little dated and sometimes struggles with things like multitasking or running more demanding apps. That said, starting at just $200 (or less depending on discounts), the Galaxy A17 delivers a lot of value for not a ton of money. — Sam Rutherford, Senior Reporter

OnePlus

Advertisement

The OnePlus Nord N30 5G was our previous top pick. At $300, it’s normally $100 more expensive than the A16 5G. However, if you can find it on sale for less, it’s still worth considering over the A16. For one, the N30 features a faster 120Hz display and its Snapdragon 695 chip, while older than the A16’s Exynos 1330, still outperforms it in some areas.

Another reason to consider the N30 over the A16 is that it ships with a 50W power adapter, letting you get a full day of battery life in 30 minutes. If you hope to use your new phone for as long as possible, the A16 is the better choice, but the N30 can be a compelling alternative. — Igor Bonifacic, Senior Reporter

Motorola

Advertisement

For those on a really tight budget, the 2024 Moto G Play covers all the bases well. It has a decently fast Snapdragon 680 processor along with 4GB of RAM and 64GB of storage. And while that last number might seem small, the phone has a microSD card slot so you can add more space if and when you need it.

Its 6.5-inch LCD screen is also surprisingly sharp with a 90Hz refresh rate. The Moto G Play even has an IP52 rating for dust and water resistance. That isn’t much, but it’s good enough to protect against an errant splash or two. Sure, the G Play is basic, but it’s basic in a good way. — S.R.

Motorola

Advertisement

The $400 Motorola Moto G Stylus 5G offers something none of the other picks on this list do: a built-in stylus. If you love doodling and jotting down notes, then this is the cheap phone to buy. Thankfully, it has a few other things going for it too. The Moto G Stylus 5G sports a big and responsive 6.7-inch display and a long-lasting 5,000mAh battery. Plus, it doesn’t look half bad.

As with other options in this price range, it would be nice if the Moto G Stylus 5G came with a more capable camera, faster charging and protection against water. With this recommendation, be sure to avoid paying full price for the Moto G Stylus 5G. Thankfully, that’s not hard to do with the phone frequently on sale. — I.B.

What to look for in a cheap phone

For this guide, our top picks cost between $100 and $300. Anything less and you might as well go buy a dumb phone instead. Since they’re meant to be more affordable than flagship phones and even midrange handsets, budget smartphones involve compromises; the cheaper a device, the lower your expectations around specs, performance and experience should be. For that reason, the best advice I can give is to spend as much as you can afford. In this price range, even $50 or $100 more can get you a dramatically better product.

Second, you should know what you want most from a phone. When buying a budget smartphone, you may need to sacrifice a decent main camera for long battery life, or trade a high-resolution display for a faster CPU. That’s just what comes with the territory, but knowing your priorities will make it easier to find the right phone.

It’s also worth noting some features can be hard to find on cheaper handsets. For instance, you won’t need to search far for a device with all-day battery life — but if you want a phone with excellent camera quality, you’re better off shelling out for one of the recommendations in our midrange smartphone guide, which all come in at $600 or less.

Wireless charging and waterproofing also aren’t easy to find in this price range and forget about the fastest chipset. On the bright side, most of our recommendations come with headphone jacks, so you won’t need to buy wireless headphones.

iOS is also off the table, since, following the discontinuation of the iPhone SE, the $599 iPhone 16e is now the most affordable offering from Apple. That leaves Android as the only option in the under-$300 price range. Thankfully today, there’s little to complain about Google’s operating system – and you may even prefer it to iOS.

Lastly, keep in mind most Android manufacturers typically offer far less robust software features and support for their budget devices. In some cases, your new phone may only receive one major software update and a year or two of security patches beyond that. That applies to the OnePlus and Motorola recommendations on our list.

If you’d like to keep your phone for as long as possible, Samsung has the best software policy of any Android manufacturer in the budget space, offering at least four years of security updates on all of its devices. Recently, it even began offering six years of support on the $200 A16 5G, which we recommend below. That said, if software support (or device longevity overall) is your main focus, consider spending a bit more on the $500 Google Pixel 9a, or even the previous-gen Pixel 8a, which has planned software updates through mid-2031.

The DJI Neo, priced at $149 (was $199), stands out as an entry-level flying drone that’s surprisingly simple to use, especially if you’re just getting started or looking for something to keep in your carry-on. People call it the ideal starter or travel companion for a reason: it’s small (just 135 grams), simple to use, and inexpensive.

There’s no need to tote around a bulky case when you can just slip the Neo into your pocket. Prop guards cover the rotors, preventing bumps and collisions. Launch it with a flick of the wrist: simply click the mode button on top, select your shot type, and the device takes off without the need for a remote.

Sale

DJI Neo, Mini Drone with 4K UHD Camera for Adults, 135g Self Flying Drone that Follows You, Palm Takeoff…

• Due to platform compatibility issue, the DJI Fly app has been removed from Google Play. DJI Neo must be activated in the DJI Fly App, to ensure a…
• Lightweight and Regulation Friendly – At just 135g, this drone with camera for adults 4K may be even lighter than your phone and does not require FAA…
• Palm Takeoff & Landing, Go Controller-Free [1] – Neo takes off from your hand with just a push of a button. The safe and easy operation of this drone…

If you need additional control, just pair it with the DJI Fly app on your phone over Wi-Fi, or use a separate remote controller to take it to the next level (up to several kilometers in good conditions). For a truly immersive experience, use your DJI Goggles and motion controller; you can even switch to manual mode for some dramatic flare (though the drone will remain stable if you get carried away).

The camera specifications aren’t going to blow anyone away, but the 1/2 inch sensor can capture decent 4K video at 30fps and 12 megapixel stills. The electronic stabilization is also quite effective; even in full sunshine, you’ll get some lovely sharp colours. Things get a little mushy in low light, but that’s to be expected given the price. Storage is built-in and contains approximately 22GB, allowing you to take a number of short flights before needing to transfer to your phone.

Battery life is about 18 minutes per charge, however it lowers slightly with guards on or if you’re being too aggressive. A level 4 wind resistance rating indicates that it can withstand moderate breezes, but severe gusts may require you to scramble to keep it in the air. Indoor flights are a breeze (pun intended) thanks to the guards and light weight, allowing you to practice flying on rainy days or in confined locations.

If you’ve been hanging onto an older Apple Watch and telling yourself “it still works,” this is the kind of deal that makes upgrading feel simple. Apple Watch Series 11 (GPS) is $299, down from a $399 retail value, saving you $100. The other reason it matters: this price is tied to a deal countdown, so it’s not the sort of discount you can count on being there later tonight.

What you’re getting

Apple Watch is still the easiest way to make your iPhone feel more useful throughout the day. You get glanceable notifications, quick replies, call handling, timers, alarms, and Apple Pay right on your wrist. That may sound basic, but it’s the difference between constantly pulling out your phone and just staying in the flow.

It’s also a fitness-friendly device without requiring you to be a fitness person. You can track activity automatically, close your rings, and keep tabs on trends over time. For many people, that turns into better consistency rather than a short-lived burst of motivation.

Why it’s worth it

The practical appeal is convenience. An Apple Watch becomes the thing you check when your phone is across the room, in your pocket, or face-down during a meeting. It’s also one of the best “small nudges” devices for daily habits: standing up more, moving a bit, and noticing patterns you would otherwise ignore.

At $299, it’s priced closer to the entry point most people want for a smartwatch that will actually stick around in their routine. It’s also a nice upgrade for anyone whose current watch battery is fading, performance feels sluggish, or features are starting to lag behind the newer watchOS experience.

The bottom line

Apple Watch Series 11 at $299 is a clean, straightforward upgrade if you want the best iPhone companion for everyday notifications, quick tasks, and fitness tracking. The biggest reason to act is timing. This deal is shown with a countdown and is set to end soon, so if you were already close to buying one, this is the moment where waiting usually costs you the discount.