Zara Data Breach Exposes Information of Nearly 200,000 Customers
A security breach at a former third-party technology provider has exposed the personal data of 197,400 Zara customers, according to findings from Have I Been Pwned.

A data breach involving a former technology provider has resulted in the exposure of personal information belonging to 197,400 Zara customers. The incident, which was confirmed by the data breach notification service Have I Been Pwned, involved the unauthorized access of databases containing records related to business relationships with customers across various international markets BleepingComputer.
The breach originated from a security incident at a third-party technology provider rather than Zara’s own internal systems. According to reports, the extortion group ShinyHunters claimed responsibility for the intrusion, asserting that they accessed the data by leveraging compromised Anodot authentication tokens to infiltrate BigQuery instances. The stolen archive, reportedly totaling 140GB, contained sensitive business records, though Inditex—Zara’s parent company—has stated that the attackers did not gain access to customer names, phone numbers, physical addresses, login credentials, or payment information such as bank cards BleepingComputer.
Analysis by Have I Been Pwned revealed that the exposed dataset includes 197,400 unique email addresses, as well as specific product SKUs, order IDs, and the geographic market associated with individual support tickets. While Inditex has maintained that its own operations and primary systems remain unaffected, the company has initiated its security protocols and notified relevant authorities regarding the unauthorized access BleepingComputer.
The ShinyHunters group has been linked to a series of high-profile data thefts and extortion campaigns. The gang has previously claimed to have compromised dozens of organizations by targeting SaaS applications through stolen authentication tokens and vishing campaigns aimed at Microsoft Entra, Okta, and Google SSO accounts. Their recent activity includes claims of breaching major entities such as Cisco, Google, and the European Commission, as well as multiple attacks against the education technology firm Instructure BleepingComputer.
Inditex has not yet publicly identified the specific third-party provider involved in the incident or attributed the breach to a specific threat actor. The company continues to manage the fallout of the exposure while working with authorities to investigate the scope of the unauthorized access BleepingComputer.
This incident highlights the ongoing risks associated with third-party vendor ecosystems, where security failures at a single service provider can impact numerous downstream clients. As organizations increasingly rely on external SaaS and data management platforms, the security of authentication tokens and third-party access controls has become a critical focal point for threat actors. The Zara breach serves as a reminder of the potential for supply chain vulnerabilities to expose customer data even when a primary brand’s internal security remains intact BleepingComputer.