retail - TrustStrike Labs

breach

2026-05-11

Zara confirmed in ShinyHunters Anodot fallout - 197,000 customer support records leaked

Zara is the latest big brand caught in the ShinyHunters extortion campaign tied to the March breach of analytics provider Anodot. The attackers - who got into Anodot in March and used that foothold to raid Snowflake-hosted data for at least a dozen downstream customers - have now published roughly one terabyte of files they say came from Zara's customer support system. Have I Been Pwned loaded 197,376 unique email addresses from the dump, along with product SKUs, order IDs, and the market each support ticket originated in. Zara's parent Inditex says no passwords or payment data were exposed.

shinyhunters extortion supply-chain anodot retail

Check: Search corporate email logs for a spike in phishing or fake order-status messages spoofing Zara customer service over the past 30 days, especially targeting users who shop with their work email.
Affected: Zara customers who contacted customer support are exposed via leaked email addresses, product SKUs, order IDs, and the market of origin (197,376 unique addresses confirmed by HIBP). Inditex has stated no passwords or payment information were included. Any organization whose data was held by Anodot remains part of this broader supply-chain campaign.
Fix: Treat the 197K leaked email addresses as confirmed-exposed for phishing targeting. Apply stricter inbound filtering for Zara order-status or return-label phishing lures. Educate employees who use work email for personal e-commerce. If your company uses Anodot, or routes data through Snowflake integrations exposed by the Anodot breach, follow the remediation Anodot and Snowflake published in April and rotate any tokens shared with Anodot.

breach

2026-04-23

Dutch cosmetics giant Rituals discloses 'My Rituals' membership database breach

Rituals, the Amsterdam-headquartered cosmetics and home fragrance retailer with roughly 1,000 stores across Europe, the Middle East, and North America, disclosed on April 23 that attackers stole personal information from its 'My Rituals' membership database. The company has not yet said how many members were affected, only that 'personal information' was exfiltrated. No payment card data is reported to have been compromised. Rituals' membership program collects name, email, postal address, and purchase history to drive a loyalty and personalization program, so the exposed fields are ideal material for branded-lookalike phishing and physical-mail fraud referencing real past purchases. The company says it has informed Dutch data protection regulator Autoriteit Persoonsgegevens and is working with an external incident response firm. Rituals did not attribute the breach to a named group and has not described the initial access vector; the disclosure follows a wider April 2026 pattern in which loyalty and membership databases are repeatedly showing up as soft targets for extortion actors looking for PII-heavy datasets.

rituals loyalty-breach europe gdpr phishing-risk retail

Check: If your staff or customers subscribe to Rituals memberships (especially in Europe where store density is highest) brief them that loyalty-themed phishing is likely to follow and add rituals.com lookalike domains to your brand monitoring watchlist.
Affected: Anyone with a 'My Rituals' loyalty membership. Businesses that have ever used Rituals for corporate gifting and stored staff contact details in the member account. Organizations with marketing-driven email collection at Rituals store counters for staff-appreciation programs.
Fix: Monitor phishing tags for any message claiming to be from Rituals or a Rituals partner. If your organization collected staff contact details through a Rituals-branded corporate gifting campaign, notify those staff proactively. Add rituals-[typo].com lookalikes to DMARC reporting and to your brand-monitoring ruleset. Rotate any password that was reused between a My Rituals account and another service. For European users, watch for follow-up notifications from Autoriteit Persoonsgegevens once the breach scope is confirmed, and keep the 90-day GDPR clock in mind for your own records of any shared data.