"Inditex has immediately applied its security protocols and has started notifying the relevant authorities of this unauthorized access," the group said in mid‑April.
HaveIBeenPwned: the Zara data set and scale
Data breach notification service HaveIBeenPwned reported that a ShinyHunters campaign compromised information belonging to over 197,000 customers of fashion outlet Zara. The service posted a brief note explaining that data stolen during an April 2026 incident included unique email addresses alongside product Stock Keeping Units (SKU), order IDs and information relating to support tickets.
According to the same reporting, Inditex — Zara’s parent company — initially claimed that no names, passwords, bank‑card details or any other payment methods were affected by the incident, and that its operations apparently remained unaffected.
Anodot, authentication tokens, and downstream data access
The incident is believed to have stemmed from an attack on analytics provider Anodot. Stolen Anodot authentication tokens were used to access a number of downstream data platforms, and ShinyHunters leaked a 140GB trove of documents it claimed to have stolen from BigQuery instances accessed via these tokens.
HaveIBeenPwned noted the data was held not only in BigQuery but also in corporate victims’ Snowflake instances, tying the exposure to cross‑platform access enabled by the compromised tokens.
ShinyHunters' 'pay or leak' campaign and other corporate victims
ShinyHunters framed the operation as a broader "pay or leak" campaign. The reporting names Vimeo, Rockstar Games and edtech giant McGraw Hill among the believed corporate victims, and says millions of customers have been impacted across the campaign.
HaveIBeenPwned reported that the group claimed to have accessed as many as 95 million support ticket records through similar means. The leak of a 140GB corpus from BigQuery instances is presented by ShinyHunters as part of that wider haul.
Instructure, Canvas, and the education extortion timeline
In late April 2026 ShinyHunters targeted edtech provider Instructure, the company behind the Canvas Learning Management System. That incident resulted in the compromise of names, email addresses and student ID numbers, as well as messages. Instructure, per the reporting, claimed that no passwords, dates of birth, government identifiers, or financial information were affected.
TrendAI said the breach affects 8,809 users of its Canvas platform across 50 countries and that the affected institutions include universities, K–12 school districts, and teaching hospitals globally, "including eight Ivy League institutions." The immediate risk identified by TrendAI centers on targeted spear‑phishing and follow‑on social engineering using real institutional context.
To pressure Instructure to pay a ransom by May 12, ShinyHunters defaced Canvas login portals for hundreds of education institutions by exploiting a vulnerability. The extortion note read: "If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement. You have till the end of the day by May 12 2026 before everything is leaked."
How technologists, procurement leaders, and education institutions are responding
- Technologists and security teams: Will be watching the mechanics detailed in this campaign — stolen Anodot authentication tokens, access to BigQuery and Snowflake, and the contents of the 140GB trove — to assess lateral exposure from third‑party analytics credentials.
- Procurement leaders and vendor managers: Face a clear signal that a breach at a former technology provider can cascade to downstream customers; the incidents named here (Anodot, Instructure) underscore the need to review third‑party data access controls and token management.
- Education institutions and administrators: Now confronting both the operational disruption of defaced Canvas portals and the longer‑term risk of spear‑phishing, particularly where course and support records contain sensitive disclosures that can be used for targeted social engineering.
The factual thread running through these incidents is concrete: stolen analytics provider tokens, cross‑platform access to BigQuery and Snowflake, a publicly claimed 140GB leak, and a hard extortion deadline set for May 12 in the Instructure matter. What happens next will hinge on whether affected organizations recover control of exposed credentials, whether ShinyHunters follows through on further releases, and how authorities and the impacted companies proceed with notification and remediation.
https://www.infosecurity-magazine.com/news/zara-data-breach-impacts-200000/
