Zara confirmed in ShinyHunters Anodot fallout - 197,000 customer support records leaked

Zara is the latest big brand caught in the ShinyHunters extortion campaign tied to the March breach of analytics provider Anodot. The attackers - who got into Anodot in March and used that foothold to raid Snowflake-hosted data for at least a dozen downstream customers - have now published roughly one terabyte of files they say came from Zara's customer support system. Have I Been Pwned loaded 197,376 unique email addresses from the dump, along with product SKUs, order IDs, and the market each support ticket originated in. Zara's parent Inditex says no passwords or payment data were exposed.

Check

Search corporate email logs for a spike in phishing or fake order-status messages spoofing Zara customer service over the past 30 days, especially targeting users who shop with their work email.

Affected

Zara customers who contacted customer support are exposed via leaked email addresses, product SKUs, order IDs, and the market of origin (197,376 unique addresses confirmed by HIBP). Inditex has stated no passwords or payment information were included. Any organization whose data was held by Anodot remains part of this broader supply-chain campaign.

Fix

Treat the 197K leaked email addresses as confirmed-exposed for phishing targeting. Apply stricter inbound filtering for Zara order-status or return-label phishing lures. Educate employees who use work email for personal e-commerce. If your company uses Anodot, or routes data through Snowflake integrations exposed by the Anodot breach, follow the remediation Anodot and Snowflake published in April and rotate any tokens shared with Anodot.