ManoMano confirmed in late February 2026 that an incident discovered in January involved unauthorized access to a subcontractor’s customer-support environment, resulting in the extraction of roughly 37.8–38 million customer records.
Exposed fields appear limited to identity and contact details plus support communications (names, emails, phone numbers, and ticket contents). ManoMano says no passwords or direct modifications of its systems occurred; investigators and French authorities (CNIL, ANSSI) have been notified.
- Discovery: ManoMano identified unauthorized access in January 2026 and began notifying affected customers in late February 2026.
- Affected records: ~37.8–38 million customer accounts (company statements and threat-actor postings converge on this figure).
- What was taken: Per ManoMano: full name, email address, phone number, and the text of customer-service interactions (support tickets / attachments) — scope varies by individual depending on the interaction. ManoMano insists passwords were not accessed and no system changes were made on its platform.
- Initial vector (attributed): Compromise of a third-party subcontractor providing customer support — reporting points to a Zendesk-based environment used by a Tunis-based service provider; threat actor alias reported as “Indra.” See the threat-intel signals and forum claims here.
- Traffic context: ManoMano reportedly runs ~50 million unique visitors/month across its e-stores; the leak size equals a very large portion of their user base.
Timeline
- Prior to Jan 2026: Customer-support operations run by a subcontractor using a Zendesk environment (outsourcing common for multinational e-commerce).
- January 2026: ManoMano learns of unauthorized access linked to that provider. Investigation launched.
- Mid–Late February 2026: Threat actor(s) claim possession of ~37.8 million accounts and related ticket data on hacker forums/social platforms; companies and journalists report.
- Late February 2026: ManoMano notifies impacted customers, revokes subcontractor access, and informs French authorities (CNIL) and national cybersecurity agency (ANSSI/CERT-FR). Public reporting appears (see BleepingComputer and other outlets).
Technical Analysis
This is a classic third-party / supply-chain data exposure rather than a direct breach of ManoMano’s core infrastructure. Customer-support platforms like Zendesk Trust Centre centralize ticket content, attachments, and metadata, and thus create a large, searchable cache of customer PII. Common attack patterns seen in recent Zendesk-related incidents include:
- Compromised agent credentials via phishing or SMS-based social engineering (Zendesk has historical incidents where employee or agent account compromise led to data exposure).
- Exploitation of misconfigured integrations or API tokens (third-party tokens exposed or re-used across environments).
- Abuse of support-ticket submission flows or automated scripts to harvest data or send spam/confirmations that lead to escalations.
- Direct compromise of the subcontractor’s environment (e.g., weak MFA, exposed admin consoles, unpatched services).
The reports indicate the extraction came from the subcontractor’s Zendesk instance or its exported archives; that matches the pattern where an attacker accesses the support tool itself (or an agent account) and downloads ticket histories and attachments. Zendesk environments frequently contain unredacted customer messages, order references, and sometimes payment or account identifiers depending on how support workflows are implemented — so even when “passwords weren’t exposed” the ticket content can fuel high-quality phishing and account takeover attempts.
Evidence
- Public claim: A threat actor using the alias Indra posted claims of holding ~37.8M accounts plus support tickets and attachments on hacker forums. That public claim aligns with the volume ManoMano disclosed.
- Sale/leak risk: Ticket archives with names, emails, and phone numbers are attractive to fraudsters and phishing operators — such datasets often appear for sale or are weaponized to craft highly targeted social-engineering campaigns.
- Operational patterns to watch: once support ticket content is in the wild, attackers commonly run campaigns that mimic the brand’s tone and legitimate ticket messages, increasing success rates of credential-harvesting and SIM-swap social engineering.
Immediate business and customer impact
- Customer risk: Phishing and voice-based scams (vishing), targeted account takeover attempts (using phone number + email), credential stuffing attempts (despite password not stolen, attackers will attempt to pair emails with breached passwords from other dumps).
- Brand trust: Large user base exposure will trigger reputation damage, customer churn, and increased support load — the very channel compromised.
- Regulatory exposure: Because ManoMano is subject to EU GDPR and French local rules, the company faces mandatory breach notification obligations and potential fines if investigations find negligent handling of third-party risk or data minimization failures. CNIL has been active and capable of levying multi-million euro fines in recent enforcement actions.
- Operational cost: Incident response, customer remediation, identity-monitoring offers, legal fees, and tighter vendor controls will carry substantial short- and medium-term costs.
Legal and regulatory context — what regulators will look for
Under GDPR and French practice, investigators and regulators tend to examine:
- Timeliness and completeness of breach notification to authorities and data subjects.
- Vendor management controls — did ManoMano exercise due diligence over the subcontractor? Were contractual and technical safeguards (access controls, encryption, logging, emergency revocation) in place and enforced?
- Data minimization and redaction practices inside support tools — were ticket contents systematically redacted or were unnecessary PII routinely captured?
- Security controls at the provider: MFA, privileged account oversight, least privilege, and monitoring.
If deficiencies are found, CNIL has precedent for significant fines and corrective orders; ANSSI/CERT-FR may assess operational guidance and provide technical follow-up.
How this fits into the larger trend
Third-party breaches continue to be one of the top systemic risks for consumer-facing platforms. Support systems centralize human conversations and frequently escape the same engineering-level protections applied to payment or account systems. The ManoMano incident echoes several prior incidents where attacker focus shifted to support tooling because it is both rich in context and often less locked down than core product back-ends.
Recent months have shown rising activity targeting help-desk platforms and outsourced support providers; organizations must treat those environments with production-grade controls, not as peripheral systems.