Zara

Inditex disclosed in early May 2026 that customer records had been exfiltrated from a former technology provider — later identified as analytics platform Anodot — by extortion group ShinyHunters. The compromised dataset, listed by ShinyHunters on its dark-web leak site after Inditex declined to engage, contained approximately 197,000 unique Zara customer email addresses alongside geographic location, purchase history (order IDs and product SKUs) and the contents of customer support tickets. Inditex's statement, given to BleepingComputer and other reporters, is: "Inditex has immediately applied its security protocols and has started notifying the relevant authorities of this unauthorized access, that stems from a security incident that affected a former technology provider and has impacted several companies operating internationally", adding that "operations and systems haven't been affected and customers can continue to access and use its services safely". The company specified that names, telephone numbers, postal addresses, passwords and payment information were not in the leak. The same Anodot intrusion is reported to have produced roughly 140GB of data and around 95 million customer support ticket records across all victims, with Vimeo, Rockstar Games, Udemy, 7-Eleven and Carnival also named in the campaign. Inditex has not, at the time of writing, published a customer-facing notice or FAQ on zara.com or inditex.com.

ShinyHunters listed Zara on its dark-web extortion portal in mid-April 2026 with a deadline of 21 April 2026 for Inditex to make contact. After negotiations did not happen, the dataset was published on 22 April 2026. Inditex publicly confirmed the breach in early May 2026 and Have I Been Pwned added it on 8 May 2026. Inditex pinned the root cause on a security incident at "a former technology provider" — independently identified as analytics vendor Anodot — and confirmed it had "immediately applied its security protocols" and started notifying the relevant authorities. The attack vector was compromised Anodot authentication tokens, which ShinyHunters used to query Anodot customers' Google BigQuery instances and pull data without ever touching Inditex's own infrastructure. The same vector has been used against Vimeo, Rockstar Games, Udemy, 7-Eleven and Carnival in the same campaign.

What leaked here is unusual: there's no password to rotate and no name on file, but attackers do have your Zara email address, a list of what you actually bought (down to the SKU and order number), the country you shop from, and the text of any support tickets you raised. That is a phishing kit. Expect emails or SMS that quote your real order number — "there's a problem with your refund for order #1234567890" with a fake link to "verify your card", "your return for [the actual item you bought] couldn't be processed, click to re-submit", or follow-ups to a complaint you genuinely raised months ago ("we've reopened your support ticket, please confirm your details to receive a gift card"). If you live in a country Zara serves through duties, expect the classic "your Zara delivery is held at customs, pay €1.99" variant — they know your country. The rule of thumb: anything Zara-branded that arrives unprompted and leans on a real order number, a specific item, or a complaint you remember making is the attackers reading from the leak. Don't click the link, don't call the number back, don't pay.

If you'd rather Inditex stop holding this data, email dataprotection@zara.com and ask them to close your Zara account and delete your personal data. Plain email is enough — you don't have to use Zara's own privacy form, you don't have to give a reason, and they have 30 days to confirm. Mention that the request covers all Inditex brands you've shopped with (Zara, Massimo Dutti, Pull&Bear, Bershka, Stradivarius, Oysho, Zara Home) so you don't have to send the same request seven times.

Inditex says no passwords were taken, so your Zara login itself doesn't need changing. The catch: your email is now in a confirmed leak alongside several other companies hit in the same Anodot-linked campaign, which means it will be tried as a credential-stuffing username elsewhere. If you reuse the same password between Zara and any other site, change it on every site that shares it.