ShinyHunters Breach at Zara Exposes 197,000 Customers via Stolen Anodot Tokens
The ShinyHunters group breached Zara, compromising over 197,000 customer records after stealing authentication tokens from analytics provider Anodot.
The ShinyHunters threat group has struck again, this time compromising the data of more than 197,000 customers of fashion retailer Zara. According to HaveIBeenPwned, the breach stemmed from an attack on analytics provider Anodot, where stolen authentication tokens were used to access downstream data platforms. The incident in April 2026.
The exposed data includes email addresses, product Stock Keeping Units (SKU), order IDs, and information related to support tickets. Zara's parent company, Inditex, has stated that no names, passwords, bank-card details, or other payment methods were affected. The company said it immediately applied its security protocols and began notifying relevant authorities, noting that the unauthorized access originated from a security incident affecting a former technology provider.
ShinyHunters leaked a 140GB trove of documents allegedly stolen from BigQuery instances accessed via the compromised Anodot tokens. The group's "pay or leak" campaign is believed to have also impacted other corporate victims, including Vimeo, Rockstar Games, and edtech giant McGraw Hill. HaveIBeenPwned reported that the group claimed to have accessed as many as 95 million support ticket records, with data held not only in BigQuery but also in Snowflake instances of the affected companies.
In late April 2026, ShinyHunters also targeted Instructure, the company behind the Canvas Learning Management System. That breach compromised names, email addresses, student ID numbers, and messages, though no passwords, dates of birth, government identifiers, or financial information were affected. TrendAI reported that the breach affected 8,809 users of the Canvas platform across 50 countries, including eight Ivy League institutions.
To pressure Instructure into paying a ransom by May 12, 2026, ShinyHunters defaced Canvas login portals for hundreds of educational institutions by exploiting a vulnerability. The defacement message warned that if the schools did not negotiate a settlement, all data would be leaked. The group's tactics highlight a growing trend of attackers using stolen authentication tokens to pivot into cloud environments and extort multiple victims simultaneously.
The Zara breach underscores the cascading risks of third-party analytics providers. When attackers compromise a single vendor like Anodot, they can gain access to the data of numerous downstream customers across multiple large enterprises. Organizations are urged to audit their third-party access tokens, implement strict token expiration policies, and monitor for anomalous data exfiltration from cloud data warehouses.
As of now, Inditex has not disclosed whether any ransom was paid or ified or if the stolen data has been publicly leaked. The incident adds to a growing list of high-profile breaches attributed to ShinyHunters, who have increasingly focused on supply-chain attacks that exploit trusted vendor relationships to maximize impact.