About 197,400 Zara customer records were reportedly exposed, including email addresses, geographic market/location data, purchase or order information, and support ticket data; Inditex said passwords and payment card... Security reporting links the incident to ShinyHunters and the alleged use of compromised Anodot a...

Create a landscape editorial hero image for this Studio Global article: What personal data was exposed in the Zara third-party breach, and how did ShinyHunters gain access to it?. Article summary: The exposed Zara data reportedly included about 197,400 customer records, mainly email addresses, geographic/location market data, purchase/order information, and support-ticket data. ShinyHunters appears to have accesse. Topic tags: general, general web. Reference image context from search candidates: Reference image 1: visual subject "# Zara Data Breach Exposed Personal Information of 197,000 People. Have I Been Pwned has confirmed that a data breach at Spanish fast-fashion retailer Zara exposed the personal inf" source context "Zara Data Breach Exposed Personal Information of 197,000 People" Reference image 2: visual subject "# Zara Data Breach Exposed Personal Information of 197,000 People.
Zara’s breach is best understood as a third-party data exposure. Inditex, Zara’s parent company, tied the incident to unauthorized access at a former technology provider, while breach-notification reporting put the affected population at about 197,400 people. The exposed data appears useful for targeted scams even though current reporting says passwords and payment-card data were not accessed.
Have I Been Pwned listed the Zara incident as affecting more than 197,000 people, with several reports giving the figure as 197,400 records. The exposed fields reportedly included:
That combination matters because it can make phishing messages look more believable: an attacker may be able to reference a real email address, market, order, product, or support interaction. Cloaked’s write-up warned that the leaked details could still fuel phishing and account-takeover attempts even without passwords or card numbers.
Inditex reportedly said passwords and payment-card information were not accessed. Daily.dev’s summary also reported that names, phone numbers, addresses, credentials, and payment data were not compromised, but that should still be read alongside the broader caveat that Inditex has not publicly released a full technical breakdown of the incident.
For customers, the practical takeaway is that this does not look like a payment-card breach based on current reporting. The more immediate risk is social engineering: emails or messages that pretend to be about a Zara order, refund, delivery problem, or support case.
Inditex’s confirmed account points outside Zara’s own infrastructure: the unauthorized access was tied to databases hosted by a former technology provider or external contractor.
Security reporting then connected the incident to ShinyHunters. BleepingComputer reported that the extortion group claimed responsibility and said it leaked data allegedly taken from BigQuery instances using compromised Anodot authentication tokens. Other reports similarly identify Anodot, an analytics provider, as the alleged third-party route into downstream customer data.
In plain terms, the reported path was not “hack Zara’s checkout page.” It was closer to: compromise or obtain valid third-party authentication tokens, use those tokens to reach connected cloud data environments, and exfiltrate data held there. That distinction matches Inditex’s statement that the incident originated with a former provider rather than inside Inditex’s own systems.
The public record is not as complete as a formal forensic report. BleepingComputer noted that Inditex and Zara had not disclosed all details of the incident, including a complete official count of affected people. The specific ShinyHunters access method also relies partly on threat-actor claims and secondary security reporting, so it should be treated as the leading reported explanation rather than a fully confirmed technical finding.
Reports also vary on the claimed archive size: BleepingComputer and Daily.dev cite a 140GB archive, while Cork Safety Alerts cited a ShinyHunters claim of 192GB from BigQuery cloud instances. For individual customers, the more useful number is the record count reported through Have I Been Pwned: roughly 197,400 affected entries.
If your email address may have been in the dataset, treat unsolicited Zara-related messages with caution. Do not click links in emails or texts about refunds, delivery issues, payment failures, loyalty rewards, or support tickets; go directly to Zara’s official site or app instead.
Because current reporting says passwords and payment-card data were not accessed, mass card replacement is not the obvious first step based on the known facts. Still, change any reused password if you used the same credentials across retail accounts, and enable multi-factor authentication where available.
The incident shows why third-party analytics and cloud-data connections can create customer-data exposure even when a retailer says its own core systems were not directly breached. For security teams, the reported token-and-data-warehouse path points to familiar controls: revoke access for former vendors, rotate authentication tokens, restrict cloud warehouse permissions, monitor unusual exports, and audit who can reach customer datasets.
The bottom line: the exposed Zara data was narrower than a password or payment-card breach, but it was still personal enough to be abused. The risk is not only what was leaked, but how a third-party connection allegedly made a global retail brand’s customer data reachable in the first place.
Studio Global AI
Use this topic as a starting point for a fresh source-backed answer, then compare citations before you share it.
About 197,400 Zara customer records were reportedly exposed, including email addresses, geographic market/location data, purchase or order information, and support ticket data; Inditex said passwords and payment card...
About 197,400 Zara customer records were reportedly exposed, including email addresses, geographic market/location data, purchase or order information, and support ticket data; Inditex said passwords and payment card... Security reporting links the incident to ShinyHunters and the alleged use of compromised Anodot authentication tokens to reach BigQuery hosted data, but Inditex has not published a full technical postmortem.