European DYI chain ManoMano data breach impacts 38 million customers
Source: Bleeping Computer
DIY store chain ManoMano is notifying customers of a data breach that was caused by hackers compromising a third‑party service provider. The company confirmed to BleepingComputer that it learned of the hack in January 2026. An investigation determined that 38 million individuals are affected.
“We can confirm that ManoMano has recently notified customers about a security incident involving one of our third‑party customer service providers (a subcontractor),” the company told BleepingComputer.
In January 2026, unauthorized access linked to this provider resulted in the extraction of certain personal data associated with customer accounts and customer service interactions.
ManoMano is a French e‑commerce firm operating an online marketplace specializing in DIY, home improvement, gardening, and related products. It operates in France, Belgium, Spain, Italy, Germany, and the United Kingdom, and its e‑stores reportedly have 50 million unique visitors per month.
Earlier this month, an individual using the alias “Indra” claimed on a hacker forum to be holding details on 37.8 million user accounts, as well as thousands of support tickets and attachments.
According to unconfirmed reports, the compromised organization was a Tunis‑based customer support service provider that suffered a Zendesk breach.
Cybersecurity firm Hackmanac posted that ManoMano started notifying customers this week that their data had been stolen.
Exposed Data
The exposed information varies per individual, depending on the type of interactions they had with the platform. Data types include:
- Full name
- Email address
- Phone number
- Customer service communications
ManoMano emphasizes that no account passwords were accessed and that no data modifications occurred on the company’s systems.
Company Response
- Disabled the relevant access and revoked the subcontractor’s access to customer data.
- Strengthened access controls and monitoring.
- Notified the relevant authorities, including the CNIL and ANSSI.
- Informed impacted customers with guidance to remain vigilant against phishing and social engineering attempts.
Source: ManoMano
The notification sample shared with BleepingComputer contains recommendations for customers, including verifying incoming communications and sender identity, monitoring bank accounts for fraudulent transactions, and avoiding clicking on suspicious links or downloading email attachments.
ManoMano notes that the investigation is ongoing and that they cannot share additional technical details at this stage.