ShinyHunters, the prolific data extortion group responsible for breaches at Ticketmaster, Snowflake customers, and dozens of other enterprises, has compromised data belonging to Zara customers through a supply chain attack on Anodot, an Israeli AI analytics firm that Inditex (Zara's parent company) used as a third-party technology provider. According to breach notification service Have I Been Pwned, 197,000 unique email addresses from the breach have now been indexed and owners notified. Inditex confirmed the breach on approximately April 15–16, 2026 but disputed the scope, stating only "commercial relations" data was taken and that no customer personal data was compromised.
How the Breach Occurred
ShinyHunters accessed Zara data not by breaching Inditex's own systems directly, but by compromising Anodot — a cloud analytics platform Inditex used to process commercial data. Anodot had previously been linked to a breach affecting Rockstar Games, suggesting either that the same compromised credentials were reused, or that ShinyHunters maintained persistent access to Anodot's environment across multiple attacks.
From within the Anodot environment, attackers exfiltrated data stored in Google BigQuery (a cloud data warehouse service) instances associated with Inditex's analytics workloads. ShinyHunters claimed to have taken 192 GB of data from these BigQuery tables.
Hudson Rock threat intelligence analysis identified that at least three Zara employees' credentials had been previously compromised by infostealer malware, providing the likely initial foothold for the Anodot access. This is consistent with the broader playbook documented in the 2024 Snowflake campaign: attackers harvest employee credentials via commodity infostealers, then use those credentials to log into cloud data platforms rather than attacking perimeter defenses directly.
The attack was part of ShinyHunters' April 2026 campaign, which also named Udemy, 7-Eleven, and Carnival as victims of the same Anodot-linked intrusion wave. ShinyHunters issued a "final warning" deadline of April 21, 2026 for Inditex to respond to their extortion demand.
What Data Was Exposed
There is a material conflict between what ShinyHunters claims and what Inditex publicly acknowledged:
ShinyHunters' claim: 192 GB of data from Google BigQuery, described as including commercial transaction metadata, purchase histories, and personal identifiers.
Inditex's official position: Only "commercial relations" data was taken. The company explicitly stated that no customer names, contact details, passwords, or payment and banking information were compromised. Inditex described the event as "part of a larger security event that impacted several other international corporations."
Have I Been Pwned indexing: Troy Hunt's breach notification service added 197,000 unique email addresses to its database from the verified breach dataset. HIBP's methodology involves verifying that email addresses are authentic and unique before indexing — the 197,000 figure represents the confirmed distinct email count in the portion of the data that HIBP processed, not necessarily the total count of affected individuals across ShinyHunters' claimed 192 GB.
The discrepancy between Inditex's "no customer personal data" position and the presence of 197,000 email addresses in HIBP likely reflects the scope of "commercial relations" data: analytics tables that process transaction data often contain email addresses and other identifiers as part of commercial record-keeping, even if the data is not structured as a traditional customer identity database. Security analysis from UpGuard notes that "customer transaction records appear to have been exposed" while confirming that "sensitive personal or banking information was not compromised."
Who Is Affected
Any individual who shopped at Zara (or other Inditex brands including Massimo Dutti, Pull&Bear, Bershka, Stradivarius, Oysho, and Zara Home) and whose email address was associated with Inditex analytics data may have been included in the breach. The HIBP indexing of 197,000 email addresses gives affected users a concrete way to check their exposure.
The breach occurred in the context of Inditex's analytics data processed through Anodot — so the affected population is most likely individuals whose purchasing activity was analyzed through that platform, rather than every Inditex customer globally (Inditex has over 5,600 stores in 88 markets and serves hundreds of millions of customers).
Exploitation Status and Threat Landscape
ShinyHunters — alternately also known as SilverFish — is one of the most active data extortion groups globally, with a documented history dating to 2020 and attributed breaches including Ticketmaster (560 million records, 2024), Santander Bank, AT&T, and dozens of Snowflake-hosted customer environments. The group operates via a dark web leak portal and typically follows a structured extortion playbook: announce the breach publicly, provide sample data to establish credibility, set a payment deadline, and publish or sell the data when the deadline passes.
The Anodot attack vector is a textbook third-party supply chain compromise — a pattern CISA and the FBI have highlighted as one of the most effective methods of breaching large enterprises that invest heavily in direct perimeter defenses. By targeting the analytics vendor rather than Inditex directly, ShinyHunters avoided Inditex's enterprise security controls and accessed data that was less rigorously protected in the analytics environment.
The specific technique of harvesting employee credentials via infostealer malware (the Hudson Rock finding of three compromised Zara employee credentials) is consistent with the CISA and FBI joint advisory on LummaC2 infostealer malware — a commodity credential theft tool widely deployed to build databases of corporate login credentials for exactly this type of downstream exploitation.
What Affected Customers Should Do
Inditex did not issue direct notifications to customers and has not recommended specific protective actions, consistent with its position that customer personal data was not exposed. However, given that 197,000 email addresses are now confirmed in a public breach database, affected individuals should:
- Check Have I Been Pwned. Visit haveibeenpwned.com and enter your email address to confirm whether you appear in the Inditex/Zara breach data.
- Change your Zara account password if you use the same password anywhere else. Even if payment data was not exposed, a confirmed email address combined with password reuse creates phishing and account-takeover risk.
- Enable two-factor authentication (2FA) on your Zara account and on any email account associated with it.
- Watch for phishing attempts. ShinyHunters and their affiliates routinely use breach email lists for targeted phishing campaigns. Expect emails using Zara or Inditex branding asking you to "verify your account," "claim a refund," or "confirm a suspicious order."
- Monitor financial accounts. While Inditex states payment data was not exposed, monitor credit card and bank statements associated with Zara purchases as a precaution, particularly for small-value test transactions.
- Subscribe to HIBP breach alerts. Register your email at haveibeenpwned.com to receive automatic notifications of future breaches — this is particularly valuable for email addresses used with retail and e-commerce accounts.
Background: The Analytics Supply Chain as Attack Surface
The Zara breach illustrates a risk that is underappreciated relative to its frequency: enterprise analytics platforms regularly receive data exports from core business systems, and those exports often contain customer-identifiable information that is less tightly governed than the source databases.
Data governance frameworks typically focus security controls at the source system (the CRM, the order management system, the ERP). When that data is exported to a third-party analytics platform for business intelligence processing, it often moves outside the security perimeter with less scrutiny — smaller vendor, different trust model, different security team, potentially weaker contractual requirements.
The 2024 Snowflake campaign made this exact dynamic visible at scale: attackers systematically targeted the analytics and data warehouse layer rather than the application layer, because the analytics environment held rich data exports from dozens of source systems with a single credential set providing access to all of them. The Anodot attack on Inditex follows the same logic.
This is a structural problem that organizations need to address at the vendor procurement and data governance layer, not just at the perimeter. Analytics vendors that process production data exports should be subject to the same third-party security review requirements as core infrastructure providers — including contractual requirements for encryption at rest, access logging, MFA enforcement, and credential rotation policies.
Retailers in particular are high-value targets for ShinyHunters and similar groups because transaction data — even without payment card numbers — contains rich behavioral information useful for targeted fraud and social engineering. The Inditex breach joins a growing list of retail supply chain compromises including 7-Eleven and Ticketmaster in the same campaign wave.
Conclusion
ShinyHunters' supply chain attack on Inditex via analytics vendor Anodot has placed 197,000 email addresses into Have I Been Pwned, giving affected Zara customers a concrete way to verify their exposure. Inditex disputes that personal data was compromised, but the HIBP indexing confirms email address exposure at minimum. Affected customers should check HIBP immediately, change reused passwords, and stay alert for Zara-themed phishing. Security teams should use this incident as a prompt to audit the data governance and security requirements applied to third-party analytics vendors.
For any query contact us at contact@cipherssecurity.com
