What happened
Have I Been Pwned has confirmed that a data breach at Spanish fast-fashion retailer Zara exposed the personal information of 197,400 people, including unique email addresses, geographic locations, purchase data, and customer support tickets. The breach was carried out by the ShinyHunters extortion group as part of a broader campaign exploiting compromised Anodot analytics platform authentication tokens to access cloud data belonging to multiple companies.
Inditex, Zara’s parent company, disclosed in April 2026 that unauthorized access had occurred to databases hosted by a former technology provider. The company specified that the compromised databases did not contain names, phone numbers, addresses, passwords, or payment information. ShinyHunters subsequently listed Zara on its dark web leak portal and set an April 21 deadline for Inditex to make contact. No ransom payment was confirmed, and the data was published on April 22 after the deadline passed. ShinyHunters claimed the stolen archive totaled 140GB, extracted from BigQuery instances using the compromised Anodot tokens, and that the full dataset allegedly included up to 95 million support ticket records.
The Anodot compromise is the same entry point used against Vimeo and Rockstar Games, among dozens of other companies. ShinyHunters has previously told BleepingComputer that AI-based detection eventually blocked further theft attempts during the Anodot campaign. Zara operates over 1,500 stores worldwide and is the flagship brand of Inditex, which also owns Bershka, Pull&Bear, Massimo Dutti, Stradivarius, and other major retail brands.
Who is affected
197,400 Zara customers across multiple markets face exposure of email addresses, order IDs, product SKUs, support ticket content, and geographic location data. While Inditex confirmed that credentials and payment details were not compromised, the support ticket data adds context that can be used to craft convincing phishing messages referencing real order and purchase history.
Why CISOs should care
The Zara breach is the latest confirmed downstream victim of the Anodot analytics platform compromise, joining Vimeo and Rockstar Games as named organizations whose data was accessed through a single third-party vendor’s stolen authentication tokens. The pattern is consistent and now well-documented: ShinyHunters compromises an analytics or monitoring platform, uses its tokens to access downstream customer cloud environments, and monetizes the resulting data through extortion with short deadlines.
For security leaders, the Anodot campaign underscores that analytics and monitoring vendors, which often hold cloud authentication tokens with broad data access, represent a meaningful supply chain risk category that is rarely subject to the same scrutiny as direct infrastructure vendors.
3 practical actions
- Audit all analytics and monitoring platform integrations for the scope of cloud authentication tokens they hold: The Anodot campaign succeeded because stolen tokens provided access to downstream BigQuery and Snowflake environments. Review what cloud storage and analytics access your monitoring vendors hold, and apply least-privilege scoping to those tokens to limit what any single compromised credential can reach.
- Check Have I Been Pwned for corporate email domain exposure in the Zara dataset: Organizations can use HIBP’s domain search to identify whether any corporate email addresses appear in the Zara breach data, which would indicate employees who may face targeted phishing using their Zara order and support history as social engineering material.
- Treat the Anodot breach as an ongoing risk if your organization uses the platform or similar analytics vendors: ShinyHunters has claimed to have used Anodot tokens against dozens of companies. If your organization is an Anodot customer or uses a comparable analytics platform with similar cloud token access, confirm that any tokens the vendor holds have been rotated since the compromise period and that access has been reviewed.​​​​​​​​​​​​​​​​
Also in the news today:
- Fake Claude AI Website Delivers New Beagle Windows Backdoor via Malvertising
- NVIDIA Confirms GeForce NOW Data Breach Affecting Armenian Regional Partner
- Ivanti Warns of New EPMM Flaw Exploited in Zero-Day Attacks
- Australia Warns of ClickFix Attacks Pushing Vidar Stealer Malware
- Polish Intelligence Warns Hackers Attacked Water Treatment Control Systems
- New TCLBanker Malware Self-Spreads Over WhatsApp and Outlook
