Zara Data Breach: 197,000 Emails Exposed via Compromised Anodot Tokens

In April 2026, the extortion group ShinyHunters published a 140 GB dataset belonging to Zara, claiming they gained access to Google BigQuery instances through compromised Anodot authentication tokens. Data verification service Have I Been Pwned (HIBP) has since confirmed the exposure of approximately 197,400 unique email addresses, along with order IDs, product SKUs, and customer support tickets. While Zara parent company Inditex confirmed a security incident at a former third-party technology provider, it has not publicly attributed the breach to a specific vector or named Anodot, leaving a transparency gap that potentially heightens risks for affected customers.

Approximately 197,400 unique email addresses verified by Have I Been Pwned, alongside order IDs, product SKUs, and customer support logs.

The Anodot Vector: Stolen Tokens and BigQuery Exploitation

According to claims posted by ShinyHunters on their Tor leak site, the breach of Zara’s data was facilitated by exploiting authentication tokens from the Anodot platform. The group issued a direct warning: Your Bigquery instances data was compromised. These tokens reportedly allowed the attackers to infiltrate Google BigQuery instances containing analytics data and support tickets.

The exact method used to compromise the tokens remains undocumented. It is currently unclear whether the theft resulted from phishing, an insider threat, a misconfiguration, or another vulnerability. This lack of detail makes it difficult to assess the full depth of the compromise beyond the threat actor's public claims.

ShinyHunters asserted that the Zara archive totals roughly 140 GB, though they provided no technical specifics regarding the exfiltration path or the precise timing of the cloud instance access. The leak is part of the group's broader "pay or leak" strategy, where data is published if the victim refuses to meet ransom demands.

Inside the 140 GB Archive: Emails, SKUs, and Support Logs

Have I Been Pwned, a leading service for data breach verification, cataloged the Zara dataset and confirmed 197,400 unique email addresses. Beyond contact information, the leak includes order IDs, product SKUs, the geographic market associated with the tickets, and the actual text of customer support inquiries.

While these records do not contain payment card data or physical addresses, they provide a detailed roadmap of the commercial relationship between the customer and the retailer. Knowing specific SKUs purchased, the user's home country, and their history of support requests allows for the reconstruction of behavioral profiles, spending habits, and specific product grievances.

Inditex has stated that names, passwords, payment data, addresses, and telephone numbers were not compromised. While HIBP’s independent verification does not contradict the exclusion of those PII categories, it does confirm the existence of commercial and support metadata that the company did not explicitly highlight in its initial advisory.

Inditex’s Response: Confirmation Without Vendor Attribution

Inditex issued a statement confirming unauthorized access to databases hosted by a former third-party technology provider. The company stated: Inditex has immediately applied its security protocols and has started notifying the relevant authorities of this unauthorized access, that stems from a security incident that affected a former technology provider and has impacted several companies operating internationally.

In the same communication, the Spanish retail giant—which reported a 2025 revenue of approximately €38.6 billion—assured the public that Operations and systems haven't been affected and customers can continue to access and use its services safely. While emphasizing operational continuity, the statement remains vague regarding the total volume of data exfiltrated or the status of the information already circulating online.

Crucially, Inditex has not publicly attributed the attack to ShinyHunters nor confirmed Anodot as the entry point. Omitting the names of the vendor and the threat actor leaves customers without an official framework to assess residual risks or implement targeted countermeasures.

ShinyHunters claimed: The company failed to reach an agreement with us despite our incredible patience, all the chances, though this claim of negotiation remains independently unverified. The group proceeded to leak the archive without Inditex officially acknowledging any ransom demands or discussions.

The High Value of SKU and Support Data in Targeted Attacks

The absence of financial data in the archive does not translate to low risk for consumers. Combining a verified email address with purchase history and support ticket content creates a highly potent dataset for spear-phishing campaigns.

A threat actor can craft fraudulent emails citing specific order numbers, exact SKUs, or previous service issues. This context significantly increases the likelihood that a victim will click a malicious link or provide credentials to a spoofed portal. The familiarity of the context effectively lowers the average user's psychological defenses.

Fraudulent schemes based on purchase history are a realistic threat. A message announcing a refund for a specific SKU or flagging a delivery issue on a verified order is highly credible and difficult for generic spam filters to detect.

Furthermore, support tickets may reveal preferred contact methods, availability windows, or internal company policy details. This information can fuel reconnaissance for more sophisticated attacks against individual users or even corporate customer service departments.

Mitigation and Security Recommendations

• Check Have I Been Pwned to verify if your email address was included in the Zara dataset; independent verification is the first step in personal risk assessment.
• Treat any email, SMS, or message citing Zara orders, specific SKUs, or previous support interactions with extreme skepticism. Avoid clicking links and verify communications by manually visiting the official website or app.
• Enable two-factor authentication (2FA) on all accounts linked to the exposed email address, including Zara, and update passwords if they are not already unique and robust.
• Monitor bank statements and transaction notifications for any unusual activity, even if payment data was not included in the leak, as purchase profiles can be used in social engineering attempts against financial institutions.

The Zara incident is not a direct breach of payment systems, but it demonstrates how compromising a SaaS analytics token can expose enough commercial metadata to arm high-quality social engineering. The discrepancy between Inditex’s minimal communication and the granular detail of the leaked data leaves customers to navigate the risk on their own. in a retail ecosystem increasingly reliant on third-party cloud platforms, transparency regarding the vector and the scope of a leak remains the only effective antidote to the phishing campaigns that inevitably follow.

Frequently Asked Questions

Has Inditex confirmed Anodot as the compromised vendor?

No. Inditex confirmed a security incident at a former third-party technology provider that affected multiple international companies, but has not identified the provider by name or confirmed Anodot as the vector.

Were customer payment details or addresses exposed?

According to Inditex’s statement and Have I Been Pwned’s verification, names, passwords, payment data, addresses, and phone numbers are not present in the dataset. However, email addresses and purchase metadata are included.

What type of attack targeted Anodot?

ShinyHunters claimed to have compromised authentication tokens to access BigQuery instances. The specific technical method used to obtain these tokens has not been documented in available reports.

Information has been verified against cited sources and is current as of the time of publication.

Sources

• https://securityaffairs.com/191859/cyber-crime/zara-data-breach-197000-customers-exposed-in-third-party-security-incident.html
• https://haveibeenpwned.com/Breach/Zara