NEARLY 197,000 Zara customers have been affected by a third-party security incident connected to Inditex, with exposed data including unique emails, order IDs, product SKUs, geographic locations, purchase history and customer support tickets. Inditex said the compromised databases did not contain names, passwords, payment details, addresses or phone numbers.
The extortion group ShinyHunters claimed the attack and the theft of a 140GB archive from BigQuery instances, exploiting compromised Anodot authentication tokens, though Inditex has not named the compromised provider or attributed the attack to a specific threat actor. Have I Been Pwned analysed the dataset and confirmed 197,400 unique email addresses among the compromised records.
The incident is linked to a broader campaign in April 2026 in which ShinyHunters targeted multiple organisations, including Zara, as part of a “pay or leak” tactic. Inditex says operations and systems were not affected and customers can continue to use Zara’s services safely, according to Have I Been Pwned.