Zara Data Breach Exposes Data of Nearly 200,000 Customers
▼ Summary
– A ShinyHunters campaign compromised data of over 197,000 Zara customers, including email addresses, SKUs, and order IDs, according to HaveIBeenPwned.
– Zara parent Inditex stated no names, passwords, or payment details were affected, and that it notified authorities about the breach originating from a former technology provider.
– The incident stemmed from stolen authentication tokens from analytics provider Anodot, used to access BigQuery and Snowflake instances, with a 140GB data trove leaked.
– Other corporate victims of the same campaign include Vimeo, Rockstar Games, and McGraw Hill, with millions impacted and up to 95 million support ticket records accessed.
– ShinyHunters also breached edtech provider Instructure in late April 2026, affecting 8809 Canvas users globally, and defaced login portals to demand a ransom by May 12.
A ShinyHunters campaign has compromised the personal data of more than 197,000 customers of fashion retailer Zara, as confirmed by HaveIBeenPwned. The data breach notification service disclosed that the stolen information includes unique email addresses, product Stock Keeping Units (SKU), order IDs, and details related to support tickets, originating from an incident in April 2026.
Initially, Zara’s parent company Inditex stated that no names, passwords, bank-card numbers, or other payment details were impacted. “Inditex has immediately applied its security protocols and has started notifying the relevant authorities of this unauthorized access, that stems from a security incident that affected a former technology provider and has impacted several companies operating internationally,” the group announced in mid-April. The company’s operations reportedly remained unaffected.
The breach is believed to have originated from an attack on analytics provider Anodot. Stolen authentication tokens from Anodot were used to access multiple downstream data platforms. ShinyHunters leaked a 140GB trove of documents it claimed to have taken from BigQuery instances accessed via these tokens. Other corporate victims of this “pay or leak” campaign are thought to include Vimeo, Rockstar Games, and edtech giant McGraw Hill, affecting millions of customers.
HaveIBeenPwned reported that the group claimed to have accessed as many as 95 million support ticket records through this method. The data was stored not only in BigQuery but also in victims’ Snowflake instances.
ShinyHunters Casts a Wide Net
In late April 2026, ShinyHunters also targeted Instructure, the company behind the Canvas Learning Management System. That breach compromised names, email addresses, student ID numbers, and messages, though no passwords, dates of birth, government identifiers, or financial data were affected. TrendAI said the breach affects 8,809 users of the Canvas platform across 50 countries. “The breach affects universities, K–12 school districts, and teaching hospitals globally, including eight Ivy League institutions,” it explained. “Because Canvas stores sensitive personal disclosures, for example, medical accommodation requests and private advisor conversations, the primary risk is highly targeted spear‑phishing using real institutional context. The immediate risk is follow‑on social engineering, credential abuse, and targeted phishing campaigns.”
To pressure Instructure into paying a ransom by May 12, ShinyHunters defaced Canvas login portals for hundreds of educational institutions by exploiting a vulnerability. “If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement. You have till the end of the day by May 12 2026 before everything is leaked,” the note read.
(Source: Infosecurity Magazine)
