Zara Email Leak Traced to Compromised Anodot Credentials

Inditex, parent of Zara, disclosed that unauthorized access came through a third‑party analytics vendor it no longer uses. The attacker gained entry to BigQuery instances hosting order and support data, extracting a 140 GB archive that included email addresses, product SKUs, order IDs, geographic locations and support tickets. No names, passwords, payment details or phone numbers were stored in the affected tables, according to the company.

- 197,400 unique email addresses were exposed, as verified by Have I Been Pwned. - The leak also contained order IDs, SKUs, purchase history and support tickets, enabling detailed profiling of shopping habits. - ShinyHunters claimed the intrusion used compromised Anodot authentication tokens to move from the analytics platform into BigQuery, a technique they have reused against dozens of other firms. - The group posted a Tor‑based leak site demanding payment, citing “incredible patience” and referencing prior victims such as Vimeo, Rockstar Games and the European Commission. - Inditex applied its security protocols, notified authorities and stated that operations and customer services remain unaffected.

The incident shows how a single credential compromise in a SaaS analytics tool can cascade into broad data exposure across multiple customer‑facing services. Attackers exploited valid cloud accounts (MITRE ATT&CK T1078.004) to run unauthorized queries, then exfiltrated results via standard BigQuery export functions. Defenders should treat token‑based access to analytics platforms as a high‑value target and enforce strict controls.