ManoMano, a European online DIY, home improvement marketplace with 50 million visitors per month, is notifying customers about a significant data breach that affected an estimated 38 million individuals after it discovered unauthorized access in January 2026 linked to one of its third-party customer service providers.
Although not confirmed, it is rumored that the compromised organization was a customer support service provider that suffered a Zendesk breach. Investigations found that personal data from customer accounts and interactions were extracted by the attackers.
A threat actor using the alias “Indra” claimed responsibility on a hacker forum, alleging possession of roughly 37.8 million user records, over 900,000 service tickets, and over 13,000 attachments. The exposed information varied by individual and may include full names, email addresses, phone numbers, and the contents of customer service communications.
The ManoMano stated that account passwords were not accessed and there is no evidence of data being altered within its internal systems. Upon discovering the incident, the company disabled the subcontractor’s access to customer data, strengthened access controls and monitoring, notified relevant authorities, and began informing potentially affected users with guidance on vigilance against phishing and other threats.
Noelle Murata, Sr. Security Engineer, Xcape, Inc.:
“The data breach at ManoMano allowed the threat actor “Indra” to abscond with almost 38 million user records and close to a million service tickets. Although internal systems were unaffected, this highlights the inherent dangers associated with the “extended enterprise” model and reliance on third parties. This incident is believed to be connected to a broader exploitation of Zendesk. It underscores the sensitivity of customer support communications that frequently contain unmasked personal information and user behavior data.
“The true prize lies not merely in contact details but also in the 13,000 pilfered attachments and service logs that provide the ideal blueprint for highly targeted phishing attacks. The primary threat isn’t necessarily account hijacking, but rather scams referencing actual past purchases or support interactions. Any communication purporting to be from a support representative should be viewed with suspicion.
“Retailers should take this event as a strong impetus to enforce stringent vendor security protocols. This includes minimal data sharing, robust access controls, ongoing monitoring, and swift mechanisms to revoke third-party access when suspicious activity is detected.
“When a contractor gets breached, the fallout belongs to you, not the subcontractor.”
Denis Calderone, CTO, Suzu Labs:
“ManoMano wasn’t breached directly. Their outsourced customer support provider got compromised, and through that one access point attackers pulled millions of customer records and close to a million support tickets. This is the supply chain problem we keep talking about. You can lock your own house down all you want, but if your subcontractor leaves their door open, your data walks out through their environment.
“What really caught our attention though is the support ticket data. People don’t think about what lives in support tickets. It’s not just names and emails. It’s conversations, order details, complaints, account issues, file attachments. That’s gold for social engineering. An attacker can reference your specific order, your specific complaint, and suddenly that phishing email doesn’t look like phishing anymore. It looks like a legitimate follow-up from customer support.
“So, if you’re outsourcing customer support, ask yourself if a single agent account on the provider’s side can export your entire customer database? What kind of export controls exist to minimize the blast radius from a breach such as this? If you don’t know the answers, that’s where you start.”
Outsourcing saves cash, but it introduces a variety of dangers. This is a big one. Thus if I were an organization thinking of outsourcing something, this would make me think twice.
Like this:
Like Loading...
Related
This entry was posted on February 27, 2026 at 2:29 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
38 million customers impacted in ManoMano third-party data breach
ManoMano, a European online DIY, home improvement marketplace with 50 million visitors per month, is notifying customers about a significant data breach that affected an estimated 38 million individuals after it discovered unauthorized access in January 2026 linked to one of its third-party customer service providers.
Although not confirmed, it is rumored that the compromised organization was a customer support service provider that suffered a Zendesk breach. Investigations found that personal data from customer accounts and interactions were extracted by the attackers.
A threat actor using the alias “Indra” claimed responsibility on a hacker forum, alleging possession of roughly 37.8 million user records, over 900,000 service tickets, and over 13,000 attachments. The exposed information varied by individual and may include full names, email addresses, phone numbers, and the contents of customer service communications.
The ManoMano stated that account passwords were not accessed and there is no evidence of data being altered within its internal systems. Upon discovering the incident, the company disabled the subcontractor’s access to customer data, strengthened access controls and monitoring, notified relevant authorities, and began informing potentially affected users with guidance on vigilance against phishing and other threats.
Noelle Murata, Sr. Security Engineer, Xcape, Inc.:
“The data breach at ManoMano allowed the threat actor “Indra” to abscond with almost 38 million user records and close to a million service tickets. Although internal systems were unaffected, this highlights the inherent dangers associated with the “extended enterprise” model and reliance on third parties. This incident is believed to be connected to a broader exploitation of Zendesk. It underscores the sensitivity of customer support communications that frequently contain unmasked personal information and user behavior data.
“The true prize lies not merely in contact details but also in the 13,000 pilfered attachments and service logs that provide the ideal blueprint for highly targeted phishing attacks. The primary threat isn’t necessarily account hijacking, but rather scams referencing actual past purchases or support interactions. Any communication purporting to be from a support representative should be viewed with suspicion.
“Retailers should take this event as a strong impetus to enforce stringent vendor security protocols. This includes minimal data sharing, robust access controls, ongoing monitoring, and swift mechanisms to revoke third-party access when suspicious activity is detected.
“When a contractor gets breached, the fallout belongs to you, not the subcontractor.”
Denis Calderone, CTO, Suzu Labs:
“ManoMano wasn’t breached directly. Their outsourced customer support provider got compromised, and through that one access point attackers pulled millions of customer records and close to a million support tickets. This is the supply chain problem we keep talking about. You can lock your own house down all you want, but if your subcontractor leaves their door open, your data walks out through their environment.
“What really caught our attention though is the support ticket data. People don’t think about what lives in support tickets. It’s not just names and emails. It’s conversations, order details, complaints, account issues, file attachments. That’s gold for social engineering. An attacker can reference your specific order, your specific complaint, and suddenly that phishing email doesn’t look like phishing anymore. It looks like a legitimate follow-up from customer support.
“So, if you’re outsourcing customer support, ask yourself if a single agent account on the provider’s side can export your entire customer database? What kind of export controls exist to minimize the blast radius from a breach such as this? If you don’t know the answers, that’s where you start.”
Outsourcing saves cash, but it introduces a variety of dangers. This is a big one. Thus if I were an organization thinking of outsourcing something, this would make me think twice.
Share this:
Like this:
Related
This entry was posted on February 27, 2026 at 2:29 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.