Security records show that a gap that affected Zara-related databases has exposed information about 197.400 e-mail addresses along with commercial data such as order identifiers, SKUs and support tickets, according to the analysis published by Have I Been Pwned ( Have I Been Pwned: Zara). Inditex has confirmed that the committed databases were managed by a previous technology provider and states that no payment cards, passwords or, according to their version, full phones or addresses were accessed; however, commercial metadata filtration remains significant for the risk of social engineering.
The cybercrime group known as ShinyHunters has claimed the authorship and published a large file that, according to its claims, comes from BigQuery instances that they accessed with committed authentication tokens from the Anodot platform. This is a paradigmatic case of how the committed to third-party credentials and tokens can lead to mass leaks without directly attacking the retail's own systems; for more details on the attribution and the tilt disclosed, see the technical press report published by BleepingComputer ( BleepingComputer on filtration).
Beyond the figures, what concerns is the usefulness of these data for attackers: Support tickets and purchase records offer context for convincing falsifications (phishing, vishing) and for customer service supplantations. Although financial data have not been disclosed, the combination of mail, markets and order details allows for targeted campaigns that substantially increase the success of subsequent fraud.
This incident is part of a broader trend: supplier-focused attacks, tokens exploitation and social engineering campaigns targeting SSO employee accounts to pivote towards SaaS connected applications. Inditex notified authorities and activated internal protocols, but has not yet made public the identity of the supplier concerned and the attribution of the actor. The absence of such information makes it difficult to fully assess the scope and corrective measures required.
If you are a potentially affected client, act quickly and prudently reduce risks: check if your mail appears in the Have I Been Pwned database, reinforce passwords and activate multifactor authentication (ideally with phishing-resistant methods, such as FIDO2 keys), distrust unexpected communications that refer to orders or support and avoid providing additional data by phone or mail. It is also appropriate to review the spam tray and mail forwarding rules and, where appropriate, to exercise data protection rights (request for access or deletion) to the company, based on the General Data Protection Regulation (RGPD).
For companies and security officials, the incident is a reminder: the attack surface is extended to all suppliers and tokens that store or process data. To review third-party governance, rotation and secret management, to implement less privileged policies, to audit access to BigQuery and other cloud services, and to deploy behaviour-based detection are essential measures. In addition, strengthening SSO control (mandatory MFA, session monitoring and targeted phishing protection) and testing incident response scenarios with suppliers can make the difference between a contending incident and a mass leak.
Technically, the lesson is clear: tokenization and APIs simplify integration, but without robust controls they become critical vectors. Transparency in post-break communication and collaboration with authorities are key to minimizing reputational and legal damage; Inditex has already announced notifications to authorities, but customers and regulators expect more public details on mitigation and audits.
Finally, it is appropriate to contextualize: it is not an isolated fact, but part of a wave of leaks that shows repeated failures in the management of suppliers and credentials. If you want to go into the case and follow the official updates, in addition to the analysis of Have I Been Pwned and the technical reports, check the group's release on the notification and initial reactions of the company in media such as Market Watch ( Market Watch: Inditex warns of the gap).
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
Mini Shai-Hulud: the attack that turned the dependencies into mass intrusion vectors
Summary of the incident: GitHub investigates unauthorized access to internal repositories after the actor known as TeamPCP put the alleged source code and internal platform orga...
Fox Temper exposes the fragility of digital signature in the cloud
Microsoft's disclosure of the operation of "malware-signing-as-a-service" known as Fox Temper replaces in the center the most critical vulnerability of the modern software ecosy...
Trapdoor: the maldumping operation that turned Android apps into an automatic illicit income factory
Cybersecurity researchers have discovered an operation of maldumping and mobile advertising fraud named as Trapdoor, which turns legitimate Android application facilities into a...
From warning to orchestration and IA action to accelerate response to network incidents
IT and security teams live a well-known reality: a constant flood of alerts from monitoring platforms, infrastructure systems, identity services, ticketing tools and security so...
Nx Console in check: how a productivity extension became a credentials theft and a threat to the supply chain
An attack directed at developers again revealed the fragility of the software supply chain: the Nx Console extension for editors such as Visual Studio Code, with more than 2.2 m...