Nearly 197,000 Zara customers have been exposed following a cyberattack on a former technology provider used by Inditex, the Spanish fashion conglomerate behind Zara, Bershka, Pull&Bear, and Massimo Dutti. The breach, claimed by the extortion group ShinyHunters, was confirmed through analysis by Have I Been Pwned (HIBP) and traced to compromised authentication tokens linked to the Anodot analytics platform. Inditex has acknowledged the unauthorized access and notified relevant authorities.

What Happened

In April 2026, ShinyHunters targeted Zara as part of a broader "pay or leak" extortion campaign that struck multiple international organizations. The attackers gained unauthorized access to databases hosted by a former third-party technology provider servicing Inditex. After the company refused to negotiate, the group published a terabyte of allegedly stolen data on its Tor data leak site, including approximately 95 million support ticket records. HIBP independently verified the dataset and confirmed 197,400 unique email addresses among the records. Inditex maintains that operations and customer-facing systems remain unaffected.

What Was Taken

The leaked dataset does not contain names, passwords, payment details, physical addresses, or phone numbers, according to Inditex. However, the exposed records still provide a granular view of customer behavior, including:

• 197,400 unique email addresses
• Order IDs and product SKUs
• Geographic market data tied to support tickets
• Purchase history records
• Customer support ticket content (approximately 95 million records claimed)

While the data is not directly financial, the combination of email addresses, purchase patterns, and support interactions creates a high-fidelity profile suitable for targeted phishing and social engineering campaigns.

Why It Matters

This incident underscores the systemic risk posed by SaaS analytics and observability platforms that hold privileged access to customer data warehouses. The Anodot compromise has reportedly cascaded across dozens of companies, making it less an isolated retail breach and more a supply chain event with industry-wide implications. For defenders, the Zara case illustrates how "non-sensitive" telemetry data, support tickets, order histories, market metadata, can still fuel highly convincing phishing lures when combined with verified email addresses. ShinyHunters' track record, including claimed breaches at Google, Cisco, Vimeo, Rockstar Games, Instructure, and the European Commission, signals that this campaign is unlikely to slow.

The Attack Technique

ShinyHunters claims it exfiltrated a 140GB archive from Google BigQuery instances by abusing compromised authentication tokens belonging to Anodot, a third-party analytics provider integrated with victim environments. The same token-abuse technique has been used against numerous other organizations in the current extortion wave. By riding legitimate OAuth or service account credentials into BigQuery, the attackers bypass perimeter controls entirely and operate as a trusted analytics workload, an approach that frustrates traditional intrusion detection. The group's "pay or leak" model relies on rapid, large-scale exfiltration followed by public extortion when targets refuse to pay.

What Organizations Should Do

1. Audit third-party SaaS access to data warehouses. Inventory every external integration with BigQuery, Snowflake, Redshift, and similar platforms, and confirm each one has a documented business owner and current security review.
2. Rotate and scope analytics tokens. Treat Anodot, Segment, and similar analytics integrations as high-value credentials. Apply least privilege, scoped service accounts, IP allowlists, and short-lived tokens with mandatory rotation.
3. Enable BigQuery and equivalent audit logging. Monitor for anomalous query volume, unusual data egress patterns, and access from new geographic regions or service accounts.
4. Notify customers proactively. Even when names and payments are not exposed, email-plus-purchase-history disclosures warrant transparent communication and elevated phishing warnings to affected users.
5. Hunt for ShinyHunters TTPs. Review logs for token reuse, mass table exports, and BigQuery jobs originating from third-party integrations during April 2026 and after.
6. Pressure-test vendor offboarding. The breach traces to a former provider; ensure decommissioned vendors have credentials revoked, data purged, and access pathways closed within defined SLAs.

Sources: Zara Data Breach: 197,000 Customers Exposed in Third-Party Security Incident