Third‑Party Breach Exposes 197,000 Zara Customer Records via Compromised Anodot Analytics Platform
What Happened – A ShinyHunters extortion group stole a 140 GB BigQuery archive from the Anodot analytics platform, a former technology provider for Inditex. The breach exposed 197 k unique Zara customer email addresses together with order IDs, product SKUs, purchase history, geographic locations and support tickets. No passwords, payment details, addresses or phone numbers were compromised.
Why It Matters for TPRM –
- Third‑party SaaS providers can become the weakest link in a retailer’s data‑privacy chain.
- Exposure of purchase‑history data enables profiling, targeted phishing, and credential‑stuffing attacks.
- The incident demonstrates how stolen authentication tokens can be leveraged to harvest large cloud‑hosted datasets.
Who Is Affected – Retail & e‑commerce firms using external analytics or cloud data platforms; vendors of BigQuery‑style data warehouses; customers of Inditex brands (Zara, Bershka, Pull&Bear, Massimo Dutti).
Recommended Actions –
- Review contracts and security clauses with analytics and cloud‑hosting vendors; require token‑management best practices.
- Verify that all third‑party access tokens are rotated, scoped, and monitored for anomalous activity.
- Conduct a data‑mapping exercise to identify any other customer‑facing services that rely on the same provider.
Technical Notes – Attack vector: compromised authentication tokens (STOLEN_CREDENTIALS) used to access Anodot‑hosted BigQuery instances (CLOUD_HOST). No known CVE; data types exfiltrated: emails, order IDs, SKUs, purchase logs, support tickets, geo‑metadata. Source: SecurityAffairs