Zara Joins the Anodot Casualty List as ShinyHunters Cashes In on Third-Party Trust

If you needed proof that your security posture is only as strong as the analytics vendor your marketing team signed up for last quarter, Inditex just delivered it. The Spanish retail giant behind Zara confirmed that roughly 197,000 customers had personal data swept up in a breach that never actually touched Zara's own infrastructure. The damage came through Anodot, an Israeli AI analytics platform that lost its authentication tokens to ShinyHunters, the same extortion crew that has been working its way through Google, Cisco, Vimeo, Rockstar Games, and even the European Commission over the past year.

The exposed dataset, confirmed by Have I Been Pwned, includes 197,400 unique email addresses paired with order IDs, product SKUs, customer support tickets, and the geographic market each ticket originated in. Inditex was quick to point out what was not in the leak, and the list is genuinely reassuring. No names, no phone numbers, no postal addresses, no passwords, and no payment details. For a retailer of Zara's scale, that is a meaningful firewall between the breach and the kind of identity theft cascade that usually follows these incidents. Still, an email address tied to a real purchase history is a phishing kit waiting to happen, and the ShinyHunters crew knows it.

The attack vector is the part security teams should actually be losing sleep over. ShinyHunters compromised Anodot, then used the platform's stolen authentication tokens to pivot into the BigQuery instances of multiple downstream customers at once. They hauled out a 140GB archive from Zara's slice of that environment, part of a broader haul that reportedly approaches a terabyte across all victims. This is the same supply-chain pattern that gutted Snowflake customers in 2024, just running through a different SaaS bridge. The crew has been pairing this with vishing campaigns aimed at SSO accounts in Microsoft Entra, Okta, and Google Workspace, which means even orgs that lock down their direct vendors are still exposed if their helpdesk staff can be social-engineered into resetting MFA.

Inditex moved fast on the disclosure side. The company stated it had "immediately applied its security protocols and has started notifying the relevant authorities of this unauthorized access," and confirmed the issue traces back to "a former technology provider" that also "impacted several companies operating internationally." ShinyHunters had posted Zara on its Tor leak portal on April 17 with a four-day deadline to make contact, and when Inditex did not pay, the data dropped. The whole episode wrapped up in under a week from public extortion to full leak, which is roughly the operational tempo defenders should be planning around now.

The takeaway is uncomfortable but useful. A SaaS analytics tool with read access to your customer database is a regulated data store, and it deserves the same scrutiny as your CRM. Inventory every third party with token-based access to your data warehouses, rotate those tokens on a schedule rather than after an incident, and assume any vendor breach disclosed in a press release was preceded by weeks of silent access you never saw. When the bill comes due, it does not matter whose logo is on the SaaS dashboard. The customers and the regulators see your name on the headline.

Business angle for MSPs and security teams: every SMB running Klaviyo, Segment, Shopify analytics, or any middleware with OAuth into a data warehouse is in scope for this exact pattern, and most have no inventory of who holds what tokens against their data. A quarterly third-party access review with token rotation, paired with darkweb monitoring keyed to client domains, turns a ShinyHunters headline into a closed deal. Vishing-resistant MFA rollouts using FIDO2 keys or Entra number matching are the natural follow-on, because once you have shown a client how their vendor became their attacker, the rest writes itself.