Zara, the Spanish fast-fashion retailer, has suffered a data breach that exposed the personal information of over 197,000 customers, according to data breach notification service Have I Been Pwned.
Zara is the flagship brand of the Inditex Group, one of the world's largest fashion distribution groups, with over 1,500 company-managed and franchised stores worldwide. The compromised databases were hosted by a former tech provider and contained information about business relationships with customers in different markets.
Data Breach Details
Inditex stated that the attackers didn't gain access to affected customers' names, phone numbers, addresses, credentials, or payment information, such as bank cards. The company's operations and systems were unaffected, but it has yet to attribute the breach to a specific threat actor and to share the name of the hacked provider.
Inditex said,
Inditex has immediately applied its security protocols and has started notifying the relevant authorities of this unauthorized access, that stems from a security incident that affected a former technology provider and has impacted several companies operating internationally.
ShinyHunters' Involvement
The ShinyHunters extortion gang has claimed responsibility for the breach and leaked a 140GB archive containing documents allegedly stolen from BigQuery instances using compromised Anodot authentication tokens. Have I Been Pwned analyzed the stolen data and said that the resulting data breach exposed the data of 197,400 people, including unique email addresses, geographic locations, purchases, and support tickets.
The data contained 197k unique email addresses alongside product SKUs, order IDs and the market the support ticket originated in, according to Have I Been Pwned.
ShinyHunters' History of Breaches
ShinyHunters has been linked to a widespread vishing campaign targeting employees' and Business Process Outsourcing (BPO) agents' Microsoft Entra, Okta, and Google SSO accounts to steal data from connected SaaS applications. The group has also been responsible for breaches at Google, Cisco, PornHub, online dating giant Match Group, video service Vimeo, Rockstar Games, home security giant ADT, the European Commission, edtech giant McGraw Hill, medical device maker Medtronic, cruise line operator Carnival, convenience store chain 7-Eleven, and online training company Udemy.
More recently, ShinyHunters hacked education technology giant Instructure twice, the second time exploiting a security vulnerability to deface Canvas login portals for approximately 330 colleges and universities and threatening to leak data stolen in the earlier Instructure breach unless a ransom is paid.
Other Recent Breaches
MANGO, another Spanish fashion retailer giant, also sent notices of a data breach to its customers in October, warning them that personal data used in marketing campaigns had been compromised after its marketing vendor was hacked. However, no ransomware or extortion groups have claimed the MANGO incident, so the attackers remain unknown.
A wave of new exploits is coming, with 99% of what Mythos found still unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes.
- Home security giant ADT data breach affects 5.5 million people
- Data breach at edtech giant McGraw Hill affects 13.5 million accounts
- Aura confirms data breach exposing 900,000 marketing contacts
- NVIDIA confirms GeForce NOW data breach affecting Armenian users
- Trellix source code breach claimed by RansomHouse hackers
Source: BleepingComputer