Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: retail (3 articles)Clear

Ralph Lauren breach exposes customer data as ShinyHunters extends retail spree

Have I Been Pwned has added 139,903 accounts from a breach of fashion brand Ralph Lauren, which the extortion group ShinyHunters claimed as part of its sweeping 2026 campaign against retail and luxury names. ShinyHunters says it took around 220 GB of data, including customer personal information, purchase histories, and financial transaction details, along with unreleased product and strategy plans. The group typically breaks in not through a brand's core systems but via connected platforms like Salesforce or customer-service tools. Exposed purchase and contact data is prime material for convincing phishing and fraud aimed at the retailer's customers.

Check
Ralph Lauren customers should check Have I Been Pwned for their email, watch for phishing or fraudulent charges referencing orders or accounts, and review payment statements for unauthorized activity.
Affected
Ralph Lauren customers whose personal, purchase, and transaction data was exposed (139,903 accounts confirmed); the breach is part of a broader ShinyHunters wave hitting retail and luxury brands through connected platforms.
Fix
Reset and stop reusing any Ralph Lauren account passwords, enable MFA, stay alert to order- and refund-themed phishing, and consider monitoring payment cards used with the retailer for fraud.

Zara confirmed in ShinyHunters Anodot fallout - 197,000 customer support records leaked

Zara is the latest big brand caught in the ShinyHunters extortion campaign tied to the March breach of analytics provider Anodot. The attackers - who got into Anodot in March and used that foothold to raid Snowflake-hosted data for at least a dozen downstream customers - have now published roughly one terabyte of files they say came from Zara's customer support system. Have I Been Pwned loaded 197,376 unique email addresses from the dump, along with product SKUs, order IDs, and the market each support ticket originated in. Zara's parent Inditex says no passwords or payment data were exposed.

Check
Search corporate email logs for a spike in phishing or fake order-status messages spoofing Zara customer service over the past 30 days, especially targeting users who shop with their work email.
Affected
Zara customers who contacted customer support are exposed via leaked email addresses, product SKUs, order IDs, and the market of origin (197,376 unique addresses confirmed by HIBP). Inditex has stated no passwords or payment information were included. Any organization whose data was held by Anodot remains part of this broader supply-chain campaign.
Fix
Treat the 197K leaked email addresses as confirmed-exposed for phishing targeting. Apply stricter inbound filtering for Zara order-status or return-label phishing lures. Educate employees who use work email for personal e-commerce. If your company uses Anodot, or routes data through Snowflake integrations exposed by the Anodot breach, follow the remediation Anodot and Snowflake published in April and rotate any tokens shared with Anodot.

Dutch cosmetics giant Rituals discloses 'My Rituals' membership database breach

Rituals, the Amsterdam-headquartered cosmetics and home fragrance retailer with roughly 1,000 stores across Europe, the Middle East, and North America, disclosed on April 23 that attackers stole personal information from its 'My Rituals' membership database. The company has not yet said how many members were affected, only that 'personal information' was exfiltrated. No payment card data is reported to have been compromised. Rituals' membership program collects name, email, postal address, and purchase history to drive a loyalty and personalization program, so the exposed fields are ideal material for branded-lookalike phishing and physical-mail fraud referencing real past purchases. The company says it has informed Dutch data protection regulator Autoriteit Persoonsgegevens and is working with an external incident response firm. Rituals did not attribute the breach to a named group and has not described the initial access vector; the disclosure follows a wider April 2026 pattern in which loyalty and membership databases are repeatedly showing up as soft targets for extortion actors looking for PII-heavy datasets.

Check
If your staff or customers subscribe to Rituals memberships (especially in Europe where store density is highest) brief them that loyalty-themed phishing is likely to follow and add rituals.com lookalike domains to your brand monitoring watchlist.
Affected
Anyone with a 'My Rituals' loyalty membership. Businesses that have ever used Rituals for corporate gifting and stored staff contact details in the member account. Organizations with marketing-driven email collection at Rituals store counters for staff-appreciation programs.
Fix
Monitor phishing tags for any message claiming to be from Rituals or a Rituals partner. If your organization collected staff contact details through a Rituals-branded corporate gifting campaign, notify those staff proactively. Add rituals-[typo].com lookalikes to DMARC reporting and to your brand-monitoring ruleset. Rotate any password that was reused between a My Rituals account and another service. For European users, watch for follow-up notifications from Autoriteit Persoonsgegevens once the breach scope is confirmed, and keep the 90-day GDPR clock in mind for your own records of any shared data.