In a significant breach of security, a campaign orchestrated by the hacking group ShinyHunters has led to the compromise of sensitive information affecting over 197,000 customers of the fashion retailer Zara. This disturbing revelation was brought to light by the data breach notification service, HaveIBeenPwned.
According to the details released by HaveIBeenPwned, the compromised information stems from a data breach that transpired in April 2026. During this incident, critical data such as unique email addresses, product Stock Keeping Units (SKU), order IDs, and details relating to customer support tickets were stolen. This unauthorized access raises serious concerns about data privacy and the measures companies have in place to protect their customers’ information.
Initially, Inditex, the parent company of Zara, asserted that no sensitive customer data—such as names, passwords, bank card information, or other payment details—were compromised during the incident. In a statement released in mid-April, Inditex confirmed that they promptly enacted their security protocols and began notifying the appropriate authorities regarding the unauthorized access. They clarified that this breach was linked to a security incident impacting a former technology provider, which, in turn, affected several global companies. Notably, the company’s operations reportedly remained unaffected by this breach, a point they emphasized to allay customer concerns.
The attack appears to have originated from a breach involving the analytics provider Anodot, whose authentication tokens were allegedly misused to infiltrate various downstream data platforms. ShinyHunters claimed responsibility for leaking a substantial 140GB trove of documents, which they asserted were taken from BigQuery instances accessed through these compromised tokens. The ramifications of this incident extend beyond Zara, as it is believed that other corporate victims, including notable names like Vimeo, Rockstar Games, and the educational technology giant McGraw Hill, were also affected. Collectively, millions of customers’ personal data are at risk.
HaveIBeenPwned disclosed that the ShinyHunters group claimed to have accessed as many as 95 million support ticket records through this attack. This trove of data was not only stored in BigQuery but also in the Snowflake instances of the affected corporate entities. The breadth and magnitude of the breach underscore a systematic effort by the hackers to exploit vulnerabilities across various platforms and networks.
In the broader context of ShinyHunters’ activities, the group has been targeting various sectors, with a particular emphasis on education. In late April 2026, for instance, they targeted Instructure, the developer behind the widely used Canvas Learning Management System. This breach resulted in the exposure of names, email addresses, student identification numbers, and even internal messages. However, Instructure reported that no passwords, dates of birth, government identifiers, or financial details were compromised in this instance.
The impact of this breach is far-reaching, affecting approximately 8,809 users of the Canvas platform across 50 countries, encompassing universities, K–12 school districts, and teaching hospitals globally, including several Ivy League institutions. The nature of the sensitive data stored on Canvas—such as medical accommodation requests and private conversations with advisors—presents a heightened risk of targeted spear-phishing attacks. TrendAI, a cybersecurity firm, articulated concerns regarding the potential for follow-on social engineering tactics, credential abuse, and tailored phishing campaigns that could exploit the compromised details.
In an alarming maneuver to pressure Instructure into paying a ransom, ShinyHunters took drastic measures by defacing the login portals of hundreds of educational institutions that use Canvas. This action exploited vulnerabilities in the system, creating an immediate threat for the organizations involved. In a threatening note released by the group, they indicated that institutions wishing to avoid data leakage should reach out to a cyber advisory firm and engage directly with them to negotiate a settlement, establishing a deadline of May 12, 2026, for compliance.
As more details emerge about the ShinyHunters campaign and its wide-reaching implications, the need for robust cybersecurity measures becomes increasingly critical for all organizations, particularly those handling sensitive customer data. The fashion industry, educational institutions, and beyond must reevaluate their security protocols to safeguard against such significant breaches in the future.