Hackers who accessed databases linked to Zara stole data belonging to more than 197,000 customers, according to data breach notification service Have I Been Pwned.
Zara is the flagship brand of Inditex Group, one of the world’s biggest fashion retailers. The company operates more than 1,500 company-managed and franchised stores worldwide and also owns brands such as Bershka, Zara Home, Oysho, Pull&Bear, Massimo Dutti, Stradivarius, and Uterqüe.
Inditex said last month that the breach involved databases hosted by a former technology provider. These databases contained information related to business relationships with customers in different markets. The company said the incident did not affect Zara’s own systems or operations.
According to Inditex, the attackers did not access customers’ names, phone numbers, addresses, login credentials, or payment information such as bank card details. The company said it quickly activated its security protocols and began notifying the relevant authorities about the unauthorized access.
Inditex has not yet named the former technology provider involved in the breach or confirmed which threat actor was behind the attack. However, the ShinyHunters extortion gang later claimed responsibility and leaked a 140GB archive of files allegedly stolen from BigQuery instances using compromised Anodot authentication tokens.
Have I Been Pwned reviewed the stolen data and said the breach exposed information linked to 197,400 people. The leaked data included unique email addresses, geographic locations, purchase details, support tickets, product SKUs, order IDs, and the market where each support ticket originated.
New breach: Zara was named as a ShinyHunters victim last month, after which data containing 197k unique email addresses was published. Impacted data included customer support records, product SKUs and order IDs. 60% were already in @haveibeenpwned. More: https://t.co/0hIQbqoBCk
— Have I Been Pwned (@haveibeenpwned) May 8, 2026
ShinyHunters previously told BleepingComputer that it had stolen data from dozens of companies using Anodot authentication tokens. The group also claimed that AI-based detection blocked its attempts to steal information from Salesforce instances.
The cybercrime gang has also been connected to a wider vishing campaign targeting employees and business process outsourcing agents. These attacks reportedly focused on Microsoft Entra, Okta, and Google SSO accounts, allowing attackers to access data stored in connected SaaS platforms such as Salesforce, SAP, Slack, Adobe, Atlassian, Zendesk, Dropbox, Microsoft 365, and Google Workspace.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
