Zara data breach uncovered private data of 197,000 folks

Hackers who gained entry to the databases of Spanish fast-fashion retailer Zara stole information belonging to greater than 197,000 clients, in line with data breach notification service Have I Been Pwned.

Zara has over 1,500 company-managed and franchised shops worldwide and is the flagship model of the Inditex Group, one of many world’s largest style distribution teams, which additionally owns Bershka, Zara House, Oysho, Pull&Bear, Massimo Dutti, Stradivarius, and Uterqüe.

As Inditex acknowledged final month, when the data breach was broadly reported, the compromised databases have been hosted by a former tech supplier and contained details about enterprise relationships with clients in several markets.

Nevertheless, Inditex famous that the attackers did not achieve entry to affected clients’ names, cellphone numbers, addresses, credentials, or fee data (resembling financial institution playing cards).

It additionally added that its operations and techniques have been unaffected, however has but to attribute the breach to a selected menace actor and to share the title of the hacked supplier.

“Inditex has instantly utilized its security protocols and has began notifying the related authorities of this unauthorized entry, that stems from a security incident that affected a former expertise supplier and has impacted a number of corporations working internationally,” Inditex mentioned.

​Whereas Inditex and Zara have but to reveal extra particulars relating to the incident, together with the full variety of affected people, the ShinyHunters extortion gang has since claimed accountability for the breach and leaked a 140GB archive containing paperwork allegedly stolen from BigQuery situations utilizing compromised Anodot authentication tokens.

​Have I Been Pwned analyzed the stolen information and mentioned at present that the ensuing data breach uncovered the information of 197,400 folks, together with distinctive electronic mail addresses, geographic places, purchases, and assist tickets. “The information contained 197k distinctive electronic mail addresses alongside product SKUs, order IDs and the market the assist ticket originated in,” Have I Been Pwned mentioned.

Beforehand, the cybercrime gang informed BleepingComputer that they’d stolen information from dozens of corporations utilizing Anodot authentication tokens, including that they have been blocked by AI-based detection when attempting to steal information from Salesforce situations.

The group has additionally been linked to a widespread vishing marketing campaign concentrating on staff’ and Enterprise Course of Outsourcing (BPO) brokers’ Microsoft Entra, Okta, and Google SSO accounts to steal information from related SaaS functions (together with Salesforce, SAP, Slack, Adobe, Atlassian, Zendesk, Dropbox, Microsoft 365, Google Workspace, and others) after breaching company SSO accounts.

Different breaches claimed by ShinyHunters in latest months embrace Google, Cisco, PornHub, on-line relationship large Match Group, video service Vimeo, Rockstar Video games, dwelling security large ADT, the European Fee, cloud growth platform Vercel, edtech large McGraw Hill, medical gadget maker Medtronic, cruise line operator Carnival, comfort retailer chain 7-Eleven, and on-line coaching firm Udemy.

Extra just lately, ShinyHunters hacked schooling expertise large Instructure twice, the second time exploiting a security vulnerability to deface Canvas login portals for about 330 schools and universities and threatening to leak information stolen within the earlier Instructure breach until a ransom is paid.

MANGO, one other Spanish style retailer large, additionally despatched notices of a data breach to its clients in October, warning them that private information utilized in advertising campaigns had been compromised after its advertising vendor was hacked. Nevertheless, no ransomware or extortion teams have claimed the MANGO incident, so the attackers stay unknown.