Executive Summary
In January 2026, ManoMano, a leading e-commerce platform in Europe specializing in DIY, home improvement and gardening products, discovered that a third-party customer service provider had unauthorized access to customer data. The incident became public at the end of February 2026 and affected approximately 38 million people in France, Belgium, Spain, Italy, Germany and the UK.
The compromised data included full names, emails, phone numbers and customer service contacts, but did not involve account passwords or payment information. The breach originated from a Tunisian subcontractor whose Zendesk account was compromised. ManoMano immediately revoked access, strengthened access controls, and notified CNIL, ANSSI, and other relevant departments.
Hacker under the alias "Indra" admits to attack on hacker forum, investigation ongoing, ManoMano has warned customers to be aware of phishing and social engineering attacks. All information in this summary was obtained from the sources cited below.
Technical Information
The ManoMano data breach is a typical example of a third-party supply chain attack against the e-commerce industry. Hackers gained unauthorized access to a subcontractor's Zendesk account, a cloud-based customer service platform, and stole sensitive customer information, including full names, emails, phone numbers, and customer service records such as support complaints and attachments.
There is no evidence at this time to suggest that the incident involved the deployment of malware, the exploitation of a software vulnerability, or the compromise of ManoMano's core infrastructure. The attack is suspected to have been initiated through the misuse of legitimate credentials or session access rights through phishing, credential stuffing, or session hijacking in a manner that remains unconfirmed.
The hacker, who goes by the alias "Indra," claimed on the BreachForums forums to have 37.8 million user records, 935,000 support complaints, and 13,500 attachments (about 43GB of data). The attack is consistent with cybercriminals who target SaaS platforms for profit, stealing and reselling or leaking data on a massive scale.
MITRE ATT&CK Response Technology
- Valid Account (T1078): Log in to the Zendesk platform with a legitimate certificate.
- External Remote Service (T1133): Accessed through a cloud-based customer service platform
- Database Data (T1213): Retrieving Customer Data and Supporting Complaints from Zendesk
- Data Leakage via Web Services (T1567.002): Data Leakage via SaaS Platforms
- Data Breach (T1537): Disclosure and Sale of Stolen Data at BreachForums
According to ManoMano and multiple independent sources, the credibility of the use of active accounts and external remote services is very high; the credibility of the specific technical mechanism of data capture and leakage is medium as no detailed technical traces have been disclosed.
No specific malware or custom tools were identified in the incident, and the attack was only launched by abusing legitimate access to Zendesk. manoMano and third-party investigators have not yet released technical indicators such as hashes and command-and-control infrastructure.
The incident highlights the risks for third-party service providers in the e-commerce industry, especially those responsible for customer service and handling sensitive communications. Hackers are increasingly targeting providers with access to customer data, taking advantage of their weaker security controls and the centralized storage of sensitive data on SaaS platforms.
ManoMano has notified the French Data Protection Authority (CNIL), the National Information Systems Security Agency (ANSSI) and the French Cyber Emergency Platform in accordance with the EU General Data Protection Regulation (GDPR) and the national cybersecurity protocol.
Affected Versions and Timetable
The breach affects all customers whose data is processed through the third-party customer service provider involved (using Zendesk), including ManoMano's personal and business users in France, Belgium, Spain, Italy, Germany, and the United Kingdom, and varies depending on the content of the customer's interaction with customer service.
The exact timetable of events:
- January 2026: ManoMano discovers unauthorized access through a third-party vendor and blocks the account in question on the same day
- February 2026: Hacker "Indra" admits responsibility and publicizes the leak on a hacker forum.
- February 26-27, 2026: ManoMano Publicizes Incident and Notifies Customers, Confirmed by BleepingComputer, SecurityAffairs, TechRadar
There is no evidence that the data in ManoMano's core system has been tampered with, and the investigation is ongoing, with the Group not releasing further technical details at this time.
Threats
The hacker "Indra" admitted to launching the attack at BreachForums, claiming to hold 37.8 million user records, 935,000 support complaints, and 13,500 attachments. The pseudonym's history of activity is not well-documented in the public domain, and there are no other significant cases associated with it.
Its attack tactics -- targeting SaaS customer service platforms, massively stealing customer data, and selling or leaking information on cybercrime forums -- fit the profile of for-profit cybercriminals, not state-sponsored advanced persistent threat (APT) organizations.
The attack exploited privileged access to the Zendesk platform by a third-party subcontractor, reflecting the growing trend of hackers targeting supply chain partners with access to sensitive data. The incident has industry-wide implications for supply chain security and vendor risk management in the e-commerce industry, underscoring the importance of improved access control, continuous monitoring and incident response capabilities.
ManoMano has taken immediate regulatory compliance actions, notified the relevant authorities, and issued guidance to affected customers on phishing and social engineering attacks, advising them to verify the authenticity of communications, monitor bank accounts for fraudulent transactions, and avoid clicking on suspicious links or attachments.
Mitigation Measures and Response Options
The following mitigation measures, in order of severity, have been implemented or recommended in response to the breach:
- EmergencyThe company has: immediately revoked access to customer data from the subcontractors involved and blocked the affected Zendesk accounts; strengthened access controls and monitoring internally and at all subcontractors; and notified regulators in accordance with GDPR and national cybersecurity requirements.
- 高: Ongoing investigation and forensic analysis to determine the full scope and potential risk of leakage; enhanced vendor risk management; and regular security assessments and audits of third parties with access to sensitive data.
- 中:: Send notifications to customers with guidelines to prevent phishing and social engineering; advise customers to verify the authenticity of incoming messages, monitor financial accounts, and avoid suspicious links and attachments.
- 低: Continuously strengthen internal security policies, employee training on supply chain risks, and regularly assess SaaS platform configuration and access rights.
There is no evidence of leakage of passwords or payment information, and there is no need to reset passwords or monitor credit card transactions at this stage. However, customers are advised to remain vigilant and report any suspicious activity immediately.
https://www.rescana.com/post/manomano-zendesk-data-breach-exposes-38-million-customers-across-europe-incident-analysis-and-secur
估計損失高達-19-億英鎊,為英國歷來之最.jpg)
