Hackers who gained access to the databases of Spanish fast-fashion retailer Zara stole data belonging to more than 197,000 customers, according to data breach notification service Have I Been Pwned.
Zara has over 1,500 company-managed and franchised stores worldwide and is the flagship brand of the Inditex Group, one of the world’s largest fashion distribution groups, which also owns Bershka, Zara Home, Oysho, Pull&Bear, Massimo Dutti, Stradivarius, and Uterqüe.
As Inditex stated last month, when the data breach was widely reported, the compromised databases were hosted by a former tech provider and contained information about business relationships with customers in different markets.
However, Inditex noted that the attackers didn’t gain access to affected customers’ names, phone numbers, addresses, credentials, or payment information (such as bank cards).
It also added that its operations and systems were unaffected, but has yet to attribute the breach to a specific threat actor and to share the name of the hacked provider.
“Inditex has immediately applied its security protocols and has started notifying the relevant authorities of this unauthorized access, that stems from a security incident that affected a former technology provider and has impacted several companies operating internationally,” Inditex said.
While Inditex and Zara have yet to disclose more details regarding the incident, including the total number of affected individuals, the ShinyHunters extortion gang has since claimed responsibility for the breach and leaked a 140GB archive containing documents allegedly stolen from BigQuery instances using compromised Anodot authentication tokens.
Have I Been Pwned analyzed the stolen data and said today that the resulting data breach exposed the data of 197,400 people, including unique email addresses, geographic locations, purchases, and support tickets. “The data contained 197k unique email addresses alongside product SKUs, order IDs and the market the support ticket originated in,” Have I Been Pwned said.
Previously, the cybercrime gang told BleepingComputer that they had stolen data from dozens of companies using Anodot authentication tokens, adding that they were blocked by AI-based detection when trying to steal data from Salesforce instances.
The group has also been linked to a widespread vishing campaign targeting employees’ and Business Process Outsourcing (BPO) agents’ Microsoft Entra, Okta, and Google SSO accounts to steal data from connected SaaS applications (including Salesforce, SAP, Slack, Adobe, Atlassian, Zendesk, Dropbox, Microsoft 365, Google Workspace, and others) after breaching corporate SSO accounts.
Other breaches claimed by ShinyHunters in recent months include Google, Cisco, PornHub, online dating giant Match Group, video service Vimeo, Rockstar Games, home security giant ADT, the European Commission, edtech giant McGraw Hill, medical device maker Medtronic, cruise line operator Carnival, convenience store chain 7-Eleven, and online training company Udemy.
More recently, ShinyHunters hacked education technology giant Instructure twice, the second time exploiting a security vulnerability to deface Canvas login portals for approximately 330 colleges and universities and threatening to leak data stolen in the earlier Instructure breach unless a ransom is paid.
MANGO, another Spanish fashion retailer giant, also sent notices of a data breach to its customers in October, warning them that personal data used in marketing campaigns had been compromised after its marketing vendor was hacked. However, no ransomware or extortion groups have claimed the MANGO incident, so the attackers remain unknown.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
