Hackers have successfully breached the databases of Spanish fast-fashion retailer **Zara**, compromising the data of over 197,000 customers, according to **Have I Been Pwned**. **Zara**, a flagship brand of the **Inditex Group**, which also owns brands like Bershka and Pull&Bear, operates over 1,500 stores worldwide. ### Breach Details **Inditex** revealed last month that the compromised databases were hosted by a former tech provider and contained information about business relationships with customers. The company stated that names, phone numbers, addresses, credentials, and payment information were not accessed. However, the full scope of the breach and the identity of the affected provider remained undisclosed until now. "**Inditex** has immediately applied its security protocols and has started notifying the relevant authorities of this unauthorized access, that stems from a security incident that affected a former technology provider and has impacted several companies operating internationally," **Inditex** said. ### ShinyHunters Claim Responsibility The **ShinyHunters** extortion gang has claimed responsibility for the breach, leaking a 140GB archive purportedly stolen from **BigQuery** instances using compromised **Anodot** authentication tokens.  **Have I Been Pwned**'s analysis revealed that the breach exposed 197,400 unique email addresses, geographic locations, purchases, and support tickets. "The data contained 197k unique email addresses alongside product SKUs, order IDs and the market the support ticket originated in," **Have I Been Pwned** stated. ### ShinyHunters' Modus Operandi **ShinyHunters** previously disclosed to BleepingComputer that they had stolen data from numerous companies using **Anodot** authentication tokens. They also mentioned being thwarted by AI-based detection when attempting to steal data from **Salesforce** instances. The group has also been linked to a widespread vishing campaign targeting employees' **Microsoft Entra**, **Okta**, and **Google** SSO accounts to steal data from connected SaaS applications (including **Salesforce**, **SAP**, **Slack**, **Adobe**, **Atlassian**, **Zendesk**, **Dropbox**, **Microsoft 365**, **Google Workspace**, and others) after breaching corporate SSO accounts. ### Previous ShinyHunters Targets Other breaches claimed by **ShinyHunters** in recent months include **Google**, **Cisco**, **PornHub**, **Match Group**, **Vimeo**, **Rockstar Games**, **ADT**, the **European Commission**, **McGraw Hill**, **Medtronic**, Carnival, 7-Eleven, and Udemy. More recently, **ShinyHunters** hacked education technology giant **Instructure** twice, the second time exploiting a security vulnerability to deface **Canvas** login portals for approximately 330 colleges and universities and threatening to leak data stolen in the earlier **Instructure** breach unless a ransom is paid. **MANGO**, another Spanish fashion retailer, also sent notices of a data breach to its customers in October, warning them that personal data used in marketing campaigns had been compromised after its marketing vendor was hacked. However, no ransomware or extortion groups have claimed the **MANGO** incident, so the attackers remain unknown.