Fashion retailer Inditex, the parent company of Zara, has confirmed unauthorized access to customer transaction databases hosted by a third-party provider.
Data breach notification service Have I Been Pwned said approximately 197,400 unique email addresses were included in the leaked dataset.
The company said it had launched security protocols and notified the relevant authorities following the incident, Reuters reports.
It was reported that the data leak included customers’ email addresses, purchase history, order IDs, product information, and support ticket information. Inditex confirmed that passwords, payment card information, and physical addresses were not breached, and their internal operations and systems remained untouched.
BleepingComputer reports linked the incident to the ShinyHunters extortion group, which allegedly accessed the data through compromised authentication tokens connected to analytics provider Anodot.
The group is believed to have leaked the information after unsuccessful extortion attempts.
Even though none of the financial information or passwords was compromised, the theft of the purchase records and contact center conversations could lead to phishing and social engineering attacks.
The specific context provided by the data would make it possible for bad actors to create highly believable scams posing as retail and customer service representatives.
Muhammad Yahya Patel, vCISO and cybersecurity advisor for EMEA at Huntress, said: “For shoppers, this matters in a very practical way. The data in these breaches doesn’t stay in one place. It gets traded, combined with information from other leaks, and used to build surprisingly complete pictures of real people. That translates into more convincing phishing attempts, account takeover attempts on any site where you’ve used the same email and password, and, in some cases, targeted fraud.”
Patel says anyone who shops at Zara or any Inditex brand, should change their password, check whether their email appears on Have I Been Pwned, and be alert to any communications that reference theiraccount or recent purchases.
“This breach didn’t happen because someone broke through layers of advanced security. It happened because compromised authentication tokens gave attackers access to cloud-hosted data infrastructure. That’s a Software-as-a-Service (SaaS) and credential management problem, and it’s one that organisations continue to underestimate.
“ShinyHunters have built a playbook around exactly this gap, and they’re running it repeatedly because it keeps working. Until businesses treat SaaS credential protection, token lifecycle management, and third-party access monitoring as genuinely critical security priorities rather than secondary concerns, the breach notifications are going to keep coming.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.