Zara data breach: what was exposed and how ShinyHunters got in

• Email addresses. ^[5][10]
• Geographic market or location-related data. ^[7][10]
• Purchase and order information, including order IDs, products, or SKUs in some reporting. ^[7][8][10]
• Support-ticket data. ^[7][8][10]

That combination matters because it can make phishing messages look more believable: an attacker may be able to reference a real email address, market, order, product, or support interaction. Cloaked’s write-up warned that the leaked details could still fuel phishing and account-takeover attempts even without passwords or card numbers. ^[4]

What was reportedly not accessed?

Inditex reportedly said passwords and payment-card information were not accessed. ^[4] Daily.dev’s summary also reported that names, phone numbers, addresses, credentials, and payment data were not compromised, but that should still be read alongside the broader caveat that Inditex has not publicly released a full technical breakdown of the incident. ^[5][10]

For customers, the practical takeaway is that this does not look like a payment-card breach based on current reporting. The more immediate risk is social engineering: emails or messages that pretend to be about a Zara order, refund, delivery problem, or support case. ^[4][7][10]

How ShinyHunters allegedly gained access

Inditex’s confirmed account points outside Zara’s own infrastructure: the unauthorized access was tied to databases hosted by a former technology provider or external contractor. ^[1][4][13]

Security reporting then connected the incident to ShinyHunters. BleepingComputer reported that the extortion group claimed responsibility and said it leaked data allegedly taken from BigQuery instances using compromised Anodot authentication tokens. ^[5] Other reports similarly identify Anodot, an analytics provider, as the alleged third-party route into downstream customer data. ^[8][10][11]

In plain terms, the reported path was not “hack Zara’s checkout page.” It was closer to: compromise or obtain valid third-party authentication tokens, use those tokens to reach connected cloud data environments, and exfiltrate data held there. That distinction matches Inditex’s statement that the incident originated with a former provider rather than inside Inditex’s own systems. ^[1][4][5]

What is still uncertain

The public record is not as complete as a formal forensic report. BleepingComputer noted that Inditex and Zara had not disclosed all details of the incident, including a complete official count of affected people. ^[5] The specific ShinyHunters access method also relies partly on threat-actor claims and secondary security reporting, so it should be treated as the leading reported explanation rather than a fully confirmed technical finding. ^[5][8][10]

Reports also vary on the claimed archive size: BleepingComputer and Daily.dev cite a 140GB archive, while Cork Safety Alerts cited a ShinyHunters claim of 192GB from BigQuery cloud instances. ^[5][10][11] For individual customers, the more useful number is the record count reported through Have I Been Pwned: roughly 197,400 affected entries. ^[4][5][10]

What Zara customers should do now

If your email address may have been in the dataset, treat unsolicited Zara-related messages with caution. Do not click links in emails or texts about refunds, delivery issues, payment failures, loyalty rewards, or support tickets; go directly to Zara’s official site or app instead.

Because current reporting says passwords and payment-card data were not accessed, mass card replacement is not the obvious first step based on the known facts. ^[4][10] Still, change any reused password if you used the same credentials across retail accounts, and enable multi-factor authentication where available.

Why this breach matters beyond Zara

The incident shows why third-party analytics and cloud-data connections can create customer-data exposure even when a retailer says its own core systems were not directly breached. ^[1][4][13] For security teams, the reported token-and-data-warehouse path points to familiar controls: revoke access for former vendors, rotate authentication tokens, restrict cloud warehouse permissions, monitor unusual exports, and audit who can reach customer datasets. ^[5][8][10]

The bottom line: the exposed Zara data was narrower than a password or payment-card breach, but it was still personal enough to be abused. The risk is not only what was leaked, but how a third-party connection allegedly made a global retail brand’s customer data reachable in the first place. ^[4][5][10]