Full Report
Hackers who gained access to the databases of Spanish fast-fashion retailer Zara stole data belonging to more than 197,000 customers, according to data breach notification service Have I Been Pwned. [...]
Analysis Summary
# Incident Report: Compromise of Third-Party Provider Impacts Zara Customer Data
## Executive Summary
Spanish fashion retailer Zara experienced a data breach originating from a security incident at a former third-party technology provider. The breach resulted in the unauthorized access and exfiltration of data belonging to approximately 197,400 customers, including email addresses and purchase histories. The ShinyHunters extortion gang has claimed responsibility, citing the use of compromised authentication tokens to access cloud databases.
## Incident Details
- **Discovery Date:** April 2026 (Reported by Inditex group)
- **Incident Date:** Ongoing/Detected late 2025 to early 2026
- **Affected Organization:** Zara (Inditex Group)
- **Sector:** Retail / Fashion
- **Geography:** Global (Spanish-based parent company)
## Timeline of Events
### Initial Access
- **Date/Time:** Specific date not disclosed; reported publicly May 8, 2026.
- **Vector:** Third-party supply chain compromise.
- **Details:** Attackers gained access via a "former technology provider." ShinyHunters claimed the use of compromised Anodot authentication tokens.
### Lateral Movement
- **Details:** After obtaining authentication tokens, the attackers moved laterally from the provider's environment to connected SaaS and cloud storage instances, specifically targeting BigQuery databases.
### Data Exfiltration/Impact
- **Details:** Attackers exfiltrated a 140GB archive. Data included 197,400 unique email addresses, geographic locations, product SKUs, order IDs, and customer support tickets.
### Detection & Response
- **Detection:** Identified through internal security protocols following the breach of the service provider; confirmed by the "Have I Been Pwned" service.
- **Response:** Inditex applied security protocols, initiated notifications to relevant data protection authorities, and began the process of informing affected customers.
## Attack Methodology
- **Initial Access:** Valid accounts (Compromised Anodot authentication tokens).
- **Persistence:** Not explicitly stated; likely through stolen session tokens.
- **Privilege Escalation:** Use of high-level service tokens to access cloud data warehouses.
- **Defense Evasion:** Use of legitimate authentication tokens to bypass standard login alerts.
- **Credential Access:** Stolen OAuth/API tokens from a third-party integrator.
- **Discovery:** Cloud service discovery (BigQuery instances).
- **Lateral Movement:** Third-party to cloud environment.
- **Collection:** Automated collection from BigQuery instances.
- **Exfiltration:** Exfiltration of 140GB of data to actor-controlled infrastructure.
- **Impact:** Data theft and public extortion/leaking.
## Impact Assessment
- **Financial:** Potential regulatory fines (GDPR) and costs associated with incident response.
- **Data Breach:** High; 197,400 unique customer email addresses and transaction metadata.
- **Operational:** Low; Inditex stated internal systems and operations remained unaffected.
- **Reputational:** Moderate; public leak on extortion sites and widespread media coverage.
## Indicators of Compromise
- **Network indicators:** N/A (Cloud-to-cloud attack).
- **File indicators:** 140GB data archive leak.
- **Behavioral indicators:** Unusual access patterns from Anodot service accounts/tokens to BigQuery instances.
## Response Actions
- **Containment:** Revocation of compromised third-party authentication tokens.
- **Eradication:** Termination of relationship/access for the affected former tech provider.
- **Recovery:** Notification to regulatory authorities and "Have I Been Pwned" integration for customer awareness.
## Lessons Learned
- **Supply Chain Risk:** Even "former" providers may retain access or hold legacy data that remains a liability.
- **Token Management:** Hardened security for API and authentication tokens (like Anodot or Snowflake-related integrations) is critical.
- **Data Minimization:** Retaining customer support tickets and PII on third-party platforms increases the attack surface.
## Recommendations
- **Token Rotation:** Implement strict expiration and rotation policies for all third-party SaaS authentication tokens.
- **Identity Security:** Transition from long-lived tokens to Short-Lived Credentials where possible.
- **Vendor Offboarding:** Ensure a rigorous "de-provisioning" process that removes all API access and deletes data from former vendors immediately upon contract termination.
- **Monitoring:** Implement anomaly detection for cloud data warehouse exports (e.g., BigQuery, Snowflake) to identify bulk data exfiltration.