"An unauthorized party gained access to our internal order management system, and the perpetrator may have retrieved order data where your order data is potentially included," Miinto told customers in an email, acknowledging a breach that exposed shopper records and prompting a warning about follow-on fraud.
Miinto's customer disclosure and notification steps
Miinto, the Copenhagen‑headquartered online fashion marketplace, notified some customers this week by email that a security incident "may have affected some of the personal data associated with a purchase you made on Miinto." The Register saw the emails, which the company sent to UK‑based customers. In the message Miinto said it had reported the incident "to the police and to the relevant data protection authority" and that it was contacting affected customers directly so they would "know exactly what happened and what to watch out for."
The company did not make the incident public through its own channels, and it did not respond to The Register's request for comment, according to the published report.
Which records Miinto says were exposed
Miinto confirmed that names, email addresses, physical addresses and phone numbers were among the data types accessed by the intruder. The company also said customers' payment methods were "compromised too." The emailed explanation noted the breach could reveal whether a customer paid using a card and the type of card, or used pay‑in‑three services such as Klarna. Importantly, Miinto said the attack did not expose card numbers or verification numbers.
The notice framed the intrusion as access to the marketplace's "internal order management system" and characterized the information taken as order data — a category that can include both shipping details and payment method indicators.
Miinto's warnings about phishing and impersonation
Miinto explicitly warned customers to be alert for phishing attempts that impersonate the brand. The company said attackers could use details taken from the breach to make fraudulent communications appear more convincing. "We are contacting you directly so that you know exactly what happened and what to watch out for," the email stated, underscoring the firm's concern that exposed order details would lower the bar for successful social‑engineering attacks.
Containment actions Miinto reports taking
In the same customer notice Miinto said it had "taken this incident extremely seriously and have worked quickly to contain it." The company reported removing the intruder from its systems and increasing access controls on the order management system. Miinto added that it had "already strengthened the security of our systems, and we are continuing to invest in measures designed to reduce the risk of anything like this happening again," and apologized for any distress caused.
Those assertions are the extent of the remediation details disclosed in the customer emails seen by The Register; the company did not provide further technical detail or a public account of how the breach occurred or the full scale of data accessed.
What this means for customers, regulators, and e‑commerce security teams
- Customers and shoppers: Miinto's notice identifies the immediate practical risk — phishing and impersonation using the exposed order and contact details. Because payment method types (card versus pay‑in‑three) may be visible, customers should treat unexpected messages that reference their orders or payment method with caution and verify communications through Miinto's official channels.
- Regulators and law enforcement: Miinto said it has reported the incident to the police and the relevant data protection authority, initiating the formal notification and investigative processes those bodies oversee.
- E‑commerce security teams: The intruder's access to an "internal order management system" and the company's subsequent step to increase access controls highlight the kinds of internal platforms that attackers target and the value of restricting privileges and monitoring order‑processing systems.
Miinto, founded in 2009 and operating in 14 countries, reported in January that annual revenues had risen 86 percent to 869 million kroner (about $132.9 million). The company says it has contained the intrusion and tightened controls, but its email does not quantify the number of affected customers nor disclose the technical vector used to gain access. For now, Miinto's direct warning — and its call to watch for convincing impersonations that use stolen order details — is the clearest guidance available to those who shopped on its platform.




