Zara data breach exposed personal information of 197,000 people
Source: Bleeping Computer
Hackers who gained access to the databases of Spanish fast‑fashion retailer Zara stole data belonging to more than 197,000 customers, according to data‑breach notification service Have I Been Pwned.
Zara operates over 1,500 company‑managed and franchised stores worldwide and is the flagship brand of the Inditex Group, one of the world’s largest fashion distribution groups. Inditex also owns Bershka, Zara Home, Oysho, Pull&Bear, Massimo Dutti, Stradivarius, and Uterqüe.
Inditex Statement
As Inditex stated last month, when the breach was widely reported, the compromised databases were hosted by a former tech provider and contained information about business relationships with customers in different markets.
- The attackers did not gain access to customers’ names, phone numbers, addresses, credentials, or payment information (e.g., bank cards).
- Inditex’s operations and systems were unaffected.
- The company has not yet attributed the breach to a specific threat actor or identified the hacked provider.
“Inditex has immediately applied its security protocols and has started notifying the relevant authorities of this unauthorized access, that stems from a security incident that affected a former technology provider and has impacted several companies operating internationally,”
— Inditex press release
ShinyHunters Claim
While Inditex and Zara have yet to disclose further details, the ShinyHunters extortion gang claimed responsibility and leaked a 140 GB archive containing documents allegedly stolen from BigQuery instances using compromised Anodot authentication tokens.
Zara entry on ShinyHunters’ data‑leak site (BleepingComputer)
Have I Been Pwned analyzed the stolen data and reported that the breach exposed the data of 197,400 people, including unique email addresses, geographic locations, purchases, and support tickets:
“The data contained 197k unique email addresses alongside product SKUs, order IDs and the market the support ticket originated in.”
— Have I Been Pwned – Zara breach
Previously, the gang told BleepingComputer that they had stolen data from dozens of companies using Anodot authentication tokens, but were blocked by AI‑based detection when trying to steal data from Salesforce instances.
The group has also been linked to a widespread vishing campaign targeting employees’ and BPO agents’ Microsoft Entra, Okta, and Google SSO accounts to steal data from connected SaaS applications (Salesforce, SAP, Slack, Adobe, Atlassian, Zendesk, Dropbox, Microsoft 365, Google Workspace, etc.) after breaching corporate SSO accounts.
Other Breaches Claimed by ShinyHunters (Recent Months)
- Google – Ongoing Salesforce data‑theft attacks
- Cisco – Impacting Cisco.com user accounts
- PornHub – Extortion after stealing premium‑member activity data
- Match Group – Data from Hinge, Tinder, OkCupid, and Match
- Vimeo – Anodot breach exposed user data
- Rockstar Games – Stolen analytics data leaked
- ADT – Affected 55 million people
- European Commission – Data of 30 EU entities exposed
- McGraw‑Hill – Affected 135 million accounts
- Medtronic – Claim of 9 million records theft
- Carnival (cruise line operator)
- 7‑Eleven (convenience‑store chain)
- Udemy (online‑training company)
More recently, ShinyHunters hacked education‑technology giant Instructure twice. The second attack exploited a security vulnerability to deface Canvas login portals for ~330 colleges and universities and threatened to leak data stolen in the earlier breach unless a ransom was paid.
Related Incident: MANGO
Spanish fashion retailer MANGO also sent breach notices to its customers in October, warning that personal data used in marketing campaigns had been compromised after its marketing vendor was hacked. No ransomware or extortion groups have claimed this incident, so the attackers remain unknown.
Additional Media
99% of What Mythos Found Is Still Unpatched.
AI chained four zero‑days into one expl
Exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context‑rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.