Zara Data Breach Exposes 197,000 Customer Records

The Zara data breach is now confirmed to have exposed personal information belonging to 197,400 people, according to Have I Been Pwned. The stolen data includes unique email addresses, geographic locations, product purchase details, and customer support tickets. Zara's parent company Inditex confirmed the incident stems from a compromised former technology provider, not from Inditex's own production systems.

Notably, Inditex says names, phone numbers, physical addresses, login credentials, and payment information were not exposed. That's a meaningful distinction. But 197,000 records containing emails, order IDs, and support history still represents a significant leak, and the threat actor behind it is one of the most active extortion groups operating right now.

How ShinyHunters Pulled Off the Zara Breach

The ShinyHunters gang has claimed responsibility and released a 140GB archive of documents allegedly taken from BigQuery instances. The vector was compromised Anodot authentication tokens. Anodot is a cloud analytics platform. By obtaining valid auth tokens, the attackers bypassed normal access controls and queried data directly from the cloud data warehouse without needing to exploit a software vulnerability in the traditional sense.

This is a credential-based attack, not a zero-day exploit. The attacker had a key to the front door. ShinyHunters told BleepingComputer they used the same approach against dozens of companies, pivoting across cloud environments using stolen tokens. They were eventually blocked by AI-based detection when attempting to access Salesforce instances, which gives you a rough picture of how far they got before hitting resistance.

Third-Party Provider Risk Is the Real Story

Inditex has been careful not to name the compromised provider. That opacity is frustrating, but it also highlights a pattern that keeps showing up in major breaches. The vulnerable point wasn't Zara's internal infrastructure. It was a vendor with access to production data.

Third-party cloud service providers routinely hold customer data for analytics, support, and business intelligence purposes. When those providers are breached, the blast radius extends to every customer they serve. MANGO, another Spanish fashion retailer, disclosed a similar situation in October after its marketing vendor was hacked.

What Developers and Security Teams Should Do Now

If your application pushes data to third-party analytics or cloud data warehouse providers, you need to treat that data flow as an attack surface. Here's where to focus:

• Audit active API tokens and service credentials for any third-party integrations. Rotate anything that hasn't been rotated in the last 90 days.
• Apply least-privilege access to cloud data environments like BigQuery, Snowflake, or Redshift. Vendors should never get read access to more data than their function requires.
• Monitor for anomalous query patterns on your data warehouse. Large bulk exports or unusual access times are often the first detectable sign of credential abuse.
• Review your vendor security assessments. Ask providers directly whether they store auth tokens in a way that could be exfiltrated, and whether they have anomaly detection on data access.
• Segment customer data by sensitivity. If support ticket data and payment data live in the same dataset, a single compromised token can expose both.

You can run an automated scan of your web application's exposed endpoints and authentication surfaces at VibeWShield's scanner. Catching misconfigurations before an attacker does is cheaper than breach notification.

ShinyHunters has now been linked to breaches at Google, Cisco, ADT, the European Commission, McGraw Hill, Medtronic, Match Group, Vimeo, Rockstar Games, Instructure, and others. The group is not slowing down, and their preferred method of compromising third-party service credentials continues to work.

Related Reading

Check out our breakdown of supply chain attack vectors and how to defend against them for more context on how credential-based third-party breaches are structured.

How did ShinyHunters access Zara's data without hacking Zara directly? They used compromised authentication tokens belonging to Anodot, a third-party analytics provider that had access to Zara's cloud data warehouse instances on BigQuery. Valid tokens meant no need to exploit a vulnerability, just authenticate and query.

Was payment information exposed in the Zara breach? Inditex says no. The confirmed exposed data includes email addresses, geographic locations, product SKUs, order IDs, and support ticket details. Names, phone numbers, addresses, credentials, and payment card data were not part of the compromised datasets according to the company.

What's the biggest takeaway for developers building SaaS integrations? Treat every third-party service credential as a potential attack vector. Rotate tokens regularly, apply minimal permissions, and monitor data access patterns in your cloud warehouse environments. A vendor breach can expose your users even when your own systems are never touched.

Scan your application for exposed authentication endpoints and misconfigurations at VibeWShield.