Spanish fashion giant Zara has confirmed a customer data breach affecting nearly 200,000 people after hackers allegedly linked to the ShinyHunters extortion group leaked stolen information online.
The breach impacted Zara’s parent company, Inditex, which owns several global retail brands, including Pull&Bear, Bershka, Massimo Dutti, and Stradivarius. According to the company, the incident originated from a compromise involving a former third-party technology provider rather than Zara’s own internal systems.
Inditex disclosed the breach in April after ShinyHunters added Zara to its dark web leak site as part of the group’s “pay or leak” extortion campaign. The attackers claimed they had gained access to Zara-related BigQuery databases and threatened to publish the stolen files unless demands were met.
After negotiations apparently failed, the hackers released a large archive of allegedly stolen data online. Data breach tracking service Have I Been Pwned later analyzed the leak and confirmed that approximately 197,400 unique email addresses were exposed.
The leaked information reportedly included email addresses, order IDs, geographic market information, purchase history, product SKUs, and customer support ticket data. While Inditex stated that names, passwords, payment card details, phone numbers, and physical addresses were not compromised, cybersecurity experts warn that the exposed data could still be highly valuable for phishing attacks and social engineering scams.
Attackers could potentially use real order details and support ticket information to create convincing fake customer service emails or fraudulent delivery notifications targeting Zara shoppers. Researchers say this type of contextual information often increases the success rate of phishing campaigns because victims are more likely to trust messages referencing legitimate purchases or support interactions.
The breach has been linked to a larger wave of attacks tied to analytics provider Anodot. According to reports, ShinyHunters allegedly compromised authentication tokens connected to the platform and then used them to access cloud-hosted customer data belonging to multiple companies.
HaveIBeenPwned said the leaked Zara dataset was part of a much larger publication that allegedly included around 95 million support ticket records.
Inditex said it immediately activated security protocols and notified relevant authorities after discovering the unauthorized access. The company also stated that business operations and customer-facing systems were not disrupted during the incident.
The attack adds Zara to a growing list of major brands allegedly targeted by ShinyHunters in recent years. The group has repeatedly focused on cloud services, analytics platforms, and third-party integrations to gain access to large volumes of corporate and customer data.