ShinyHunters Claims Zara Breach, Exposing 197,400 Customer Records

Zara, the flagship brand of Inditex, operates over 1,500 stores worldwide. The compromised data resided in databases hosted by a former technology provider and was accessed via stolen Anodot authentication tokens. Have I Been Pwned confirmed the breach after analyzing the leaked archive.

- 197,400 unique email addresses were exposed, alongside geographic locations, product SKUs, order IDs and support‑ticket metadata. - ShinyHunters released a 140 GB archive allegedly taken from BigQuery instances using the compromised tokens. - The attackers did not acquire names, phone numbers, physical addresses, credentials or payment data, per Inditex and Have I Been Pwned. - ShinyHunters has previously claimed breaches at Google, Cisco, Match Group, Medtronic and others, often leveraging vishing to steal SSO tokens.

The incident shows how token‑based abuse can bypass traditional perimeter defenses, allowing threat actors to query cloud data stores without triggering credential‑based alerts. While no financial or identity data was taken, the exposed purchase and support information could enable targeted phishing or social‑engineering campaigns.

- Rotate and invalidate all Anodot (or similar monitoring) API tokens immediately; enforce short‑lived tokens and mandatory re‑authentication. - Detect anomalous token usage with MITRE ATT&CK technique T1078 (Valid Accounts) monitoring: flag token use from unfamiliar IPs or at unusual times. - Apply the principle of least privilege to BigQuery service accounts; restrict access to only required datasets. - Enable data‑exfiltration detection rules for large query result downloads (e.g., >100 MB) and correlate with token‑access logs. - Review and patch any known vulnerabilities in token‑management platforms; consult vendor advisories for CVE‑2023‑XXXX‑style issues if applicable.