Human In[Security] — Week of Feb 16, 2026

Today’s Menu

• Canada Goose customer data leak: what it exposes and how criminals will use it
• Snail-mail QR-code letters targeting crypto wallet owners
• Coupang breach findings: why ‘authentication shortcuts’ become megabreaches

Story 1: Canada Goose customer records leaked (600K)

What happened
A data extortion group (ShinyHunters) posted what it claims are over 600,000 Canada Goose customer records from past transactions. Canada Goose says it has not found evidence its own systems were breached and is reviewing the dataset.

Why it matters
Even without full card numbers, leaked names, addresses, phone numbers, emails, and purchase history are perfect ingredients for convincing ‘your order had an issue’ scams, account-takeover attempts, and targeted fraud.

How to protect yourself
1) Treat any Canada Goose ‘order problem’ email/text/call as suspicious. Don’t click; go directly to the official site/app.
2) Lock down your email account with MFA (authenticator app preferred) because email is the master key for password resets.
3) Watch for package delivery scams and credit card ‘replacement’ calls that already know your address and recent purchase.

Published: Feb 15, 2026
Source: BleepingComputer

Story 2: Snail-mail QR code letters targeting Trezor/Ledger users

What happened
Scammers are mailing physical letters that impersonate Trezor and Ledger and push recipients to scan a QR code for a mandatory ‘authentication/transaction check.’ The QR code sends victims to a phishing site that asks for the wallet recovery phrase (seed phrase).

Why it matters
Seed phrases are total control. If you hand it over, criminals can recreate your wallet on their device and drain funds. Physical mail also feels ‘official’ in a way emails don’t, which boosts the scam’s success rate.

How to protect yourself
1) Never type your recovery phrase into a website. Ever. Hardware wallet makers don’t need it and won’t ask.
2) If you’re worried, open the official app/site by typing the address yourself (no QR codes, no links).
3) Assume your mailing address could be in old breach data. Be extra strict about ‘urgent’ letters that demand quick action.

Published: Feb 13, 2026 (approx.)
Source: BleepingComputer

Story 3: Coupang breach probe points to authentication weaknesses

What happened
South Korean officials said a major Coupang customer data leak was driven by management and authentication failures rather than a sophisticated external attack. Reuters reports a former engineer allegedly exploited authentication vulnerabilities and a still-valid signing key to access customer accounts over months.

Why it matters
Many ‘breaches’ aren’t movie-hacker stuff. They’re overlooked keys, weak token controls, and slow offboarding. Those mistakes scale fast when you have tens of millions of customers.

How to protect yourself
1) Use unique passwords (a password manager makes this practical).
2) Turn on MFA wherever possible; it reduces the blast radius of stolen credentials.
3) Watch for targeted scams that know your name/phone number and reference your shopping habits.

Published: Feb 10, 2026
Source: Reuters

Grandma’s Firewall

Simple rule: If someone is rushing you, it’s a scam until you’ve verified it using a second path.

Script 1 (phone): “I don’t do urgent changes on an incoming call. I’m going to hang up and call the official number from the company’s website.”

Script 2 (email/text/letter): “I’m not scanning QR codes or clicking links for security checks. I’ll open the official app/site myself and check there.”

Share line: Send this to one person who would 100% scan the QR code because it came in the mail.

— Philip | Human In[Security]