ShinyHunters Leak Exposes Data of 197,000 Zara Customers via Third-Party Provider
Inditex disclosed that unauthorized access to databases hosted by a former third-party technology provider exposed data tied to nearly 197,000 Zara customers. The compromised records reportedly included about 197,400 unique email addresses, order IDs, product SKUs, geographic market information, purchase history, and customer support ticket data. Inditex said the incident did not affect names, passwords, payment details, postal addresses, or phone numbers, and added that Zara’s own operations and internal systems were not impacted.
The breach has been linked by Have I Been Pwned to the ShinyHunters extortion group’s April 2026 “pay or leak” campaign. According to the reporting, the attackers claimed they gained access through compromised Anodot authentication tokens and exfiltrated data from BigQuery environments, including a broader archive that allegedly contained up to 95 million support ticket records. After failed extortion attempts, the group reportedly published the stolen data, while Inditex said it activated security protocols and began notifying relevant authorities.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Inditex says nearly 197,000 Zara customers were affected
On 2026-05-08, reporting said Inditex disclosed that nearly 197,000 Zara customers were affected by unauthorized access to databases hosted by a former third-party provider. The company said names, passwords, payment details, addresses, and phone numbers were not affected, and that it had activated security protocols and begun notifying relevant authorities.
HIBP lists Zara breach and links it to 197,000 exposed email addresses
On 2026-05-08, Have I Been Pwned added the Zara breach, stating that about 197,000 unique email addresses were exposed in a broader leaked dataset. HIBP linked the incident to ShinyHunters' April 2026 campaign and noted the broader leak allegedly contained 95 million support ticket records.
ShinyHunters publishes Zara data after failed extortion attempts
After unsuccessful extortion attempts in April 2026, ShinyHunters published allegedly stolen Zara-related data. Reports said the leak included support ticket records, email addresses, order IDs, product SKUs, market information, and purchase history.
Inditex discloses contractor-hosted data leak affecting Zara customers
By 2026-04-16, Inditex had flagged a data leak involving databases hosted by a former third-party technology provider and said core client records were safe. The company stated its own operations and systems were not impacted.
ShinyHunters targets Zara in April 2026 pay-or-leak campaign
In April 2026, Zara was identified as one of several organizations targeted by the ShinyHunters extortion group. The actor claimed the breach was linked to compromised Anodot authentication tokens used to access BigQuery data and said it stole a large archive of data.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Zara Data Breach: 197,000 Customers Exposed in Third-Party Security Incident
securityaffairs.com
Open sourceHave I Been Pwned: Zara Data Breach
haveibeenpwned.com
Open sourceInditex flags contractor data leak, says client records safe - FashionNetwork
ww.fashionnetwork.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ShinyHunters Publishes Stolen Data From Bumble, Match Group, and Dozens of Firms
ShinyHunters has published a broad trove of allegedly stolen data affecting more than 40 organizations across retail, healthcare, hospitality, insurance, and consumer services, with reporting tying the leak campaign to victims including **Bumble**, **Match Group**, **Mytheresa**, **Zara**, **Carnival**, and **7-Eleven**. Researchers said the exposed material includes personally identifiable information, customer and transaction records, internal corporate files, and multi-terabyte datasets; one of the largest alleged exposures involved **Medtronic**, where roughly **9 million records** were reportedly listed before that entry was later removed from the leak site. The campaign reflects ShinyHunters' continued shift from ransomware-style encryption to **data theft and extortion**, with the group allegedly threatening to keep victim data available indefinitely on criminal platforms. Separate reports said the actors claimed to have stolen about **10 million records** from dating-app companies, while researchers also linked leaked **Bumble** data to the same operation after an earlier claim that roughly **30GB** had been taken from the company. The disclosures echo a wider criminal pattern in which stolen sensitive data is leaked to pressure victims after exfiltration, including in healthcare breaches such as the Change Healthcare incident.
Jun 7, 2026
ShinyHunters Claims Large-Scale Data Theft From Dutch Telecom Odido
**ShinyHunters** has claimed responsibility for breaching Dutch telecommunications provider **Odido** (and brand **BEN**) and stealing a much larger dataset than the company initially indicated. Odido previously disclosed that attackers accessed its customer contact system and downloaded customer data, reporting the incident to the Dutch Data Protection Authority, cutting off attacker access, and bringing in external incident-response support. Odido said the exposed data varied by customer and could include identifiers and contact details such as name, address, mobile number, customer number, email address, **IBAN**, date of birth, and some ID details (e.g., passport/driver’s license numbers and validity), while stating that Mijn Odido passwords, call/location/data/billing details, and scans of identity documents were not exposed. ShinyHunters subsequently listed Odido on its leak site and alleged theft of **~21 million records** tied to **~8 million customers**, asserting Odido downplayed the scope. The gang’s claims also include highly sensitive elements—most notably **plaintext passwords**—and additional materials such as internal corporate documents and source code, which (if accurate) would materially increase risks of credential stuffing/account takeover, identity fraud, and follow-on intrusion. At the time of reporting, the expanded dataset details (including plaintext passwords and source code) were presented as **attacker claims** rather than independently confirmed by Odido.
Mar 26, 2026
ShinyHunters-Linked Extortion and Data Leak Claims Targeting Automotive Retailers
Data allegedly sourced from US automotive retailer **CarMax** was published online after a **failed extortion attempt**, according to a Have I Been Pwned breach entry. The exposed dataset reportedly includes **431,000 unique email addresses** along with **names, phone numbers, and physical addresses**, indicating a PII-heavy leak that could enable targeted phishing and identity-focused fraud. Separately, **CarGurus** was reported as being purportedly breached by the **ShinyHunters** hacking operation, with claims of **1.7 million corporate files** stolen and an extortion deadline tied to negotiations. The intrusion was alleged to have occurred via **single sign-on (SSO) codes obtained through voice phishing**, consistent with ShinyHunters’ prior claims of compromising other organizations using SSO-code access; CarGurus has been positioned as another extortion-driven theft where internal records and PII may be at risk of exposure.
Mar 21, 2026