197,400 people exposed, Have I Been Pwned says
"The data contained 197k unique email addresses alongside product SKUs, order IDs and the market the support ticket originated in," Have I Been Pwned said after analyzing a trove of files leaked by an extortion gang. The data-breach notification service concluded the incident exposed the personal information of 197,400 people tied to Zara, the Spanish fast-fashion retailer.
Inditex confirms breach at a former technology provider, denies access to names or payments
Inditex, Zara’s parent company, said the compromised databases were hosted by a former tech provider and contained information about business relationships with customers in different markets. Inditex added that attackers "didn't gain access to affected customers' names, phone numbers, addresses, credentials, or payment information (such as bank cards)." The company said its operations and systems were unaffected, that it "has immediately applied its security protocols and has started notifying the relevant authorities," and that it has not yet attributed the incident to a named threat actor or disclosed the identity of the hacked provider.
ShinyHunters claims responsibility; leak includes 140GB archive, BigQuery and Anodot tokens cited
The cybercrime gang ShinyHunters has claimed responsibility for the incident and posted a 140GB archive of documents it says were stolen. According to the claim, the files were taken from BigQuery instances using compromised Anodot authentication tokens. Have I Been Pwned’s analysis of the leaked material is the source for the 197,400 figure.
The gang itself told BleepingComputer that it had used Anodot tokens to steal data from dozens of companies and that it was blocked by AI-based detection when attempting to steal data from Salesforce instances. ShinyHunters has also described using social-engineering techniques aimed at single-sign-on (SSO) accounts: the group has been linked to a vishing campaign targeting employees' and business process outsourcing (BPO) agents' Microsoft Entra, Okta, and Google SSO accounts to access connected SaaS applications.
ShinyHunters’ wider campaign and other victims named in its claims
The group has claimed responsibility for a long list of high-profile intrusions in recent months, according to the reporting: Google, Cisco, PornHub, Match Group, Vimeo, Rockstar Games, ADT, the European Commission, Vercel, McGraw Hill, Medtronic, Carnival, 7‑Eleven, and Udemy. More recently, ShinyHunters described two intrusions of Instructure: a first theft of data and a second operation that exploited a security vulnerability to deface Canvas login portals for approximately 330 colleges and universities, accompanied by a ransom threat to avoid data disclosure.
The report also notes a separate retail incident: MANGO, another Spanish fashion retailer, told customers in October that personal data used in marketing campaigns had been compromised after its marketing vendor was hacked. No extortion or ransomware group has claimed the MANGO incident, and the attackers there remain unnamed.
What this means for technologists, retailers, and customers
- Technologists and security teams: The intrusion, as described, highlights the value attackers place on credentials and tokens that bridge telemetry and cloud analytics services—here, Anodot tokens and BigQuery storage. Teams should watch for token misuse and for leaked archives containing product SKUs, order IDs, and support tickets that can be correlated across systems.
- Retail procurement and operations leaders: Inditex’s account centers the failure at a former technology provider. Organizations that outsource analytics or customer‑relationship workloads will likely review vendor offboarding and data-retention policies, and examine how third-party access is revoked and audited when contracts end.
- Customers of Zara and similar retailers: The exposed records, as analyzed, included unique email addresses, geographic locations, purchases, and support tickets — data that can feed phishing and targeted scams even where names, phone numbers, and payment details were not exposed. Affected customers should expect official notifications from the company and exercise caution with unsolicited messages referencing orders or support interactions.
Inditex has begun notifying authorities and said it applied security protocols immediately; ShinyHunters has published a large archive and named the mechanisms it says it used. The two accounts intersect on a breached vendor and leaked data, but Inditex has not yet named that provider, and the company has not attributed the breach to a specific actor. That gap — and the presence of a public 140GB leak tied to BigQuery and Anodot tokens — leaves technical teams and investigators with concrete artifacts to reconcile as they determine scope and remediation.
Original reporting on the Zara data breach — BleepingComputer




