European on-line DIY large ManoMano is notifying roughly 38 million prospects after risk actors compromised a third-party customer support supplier, exposing private knowledge tied to person accounts and assist interactions.
The incident, found in January 2026, underscores the persistent threat posed by provide chain and vendor-based breaches.
“We will verify that ManoMano has not too long ago notified prospects a couple of safety incident involving one in all our third-party customer support suppliers (a subcontractor),” the corporate advised BleepingComputer.
Contained in the ManoMano breach
ManoMano is one in all Europe’s largest on-line marketplaces for DIY, gardening, and residential enchancment merchandise, working throughout France, Belgium, Spain, Italy, Germany, and the UK.
The platform attracts roughly 50 million distinctive month-to-month guests, and with practically 38 million people affected, the breach stands as one of many extra important retail-sector knowledge exposures in Europe in latest months.
Based on BleepingComputer, the scope of compromised knowledge varies relying on a buyer’s interplay with the platform. Uncovered data might embrace full names, e mail addresses, telephone numbers, and customer support communications.
ManoMano pressured that no account passwords have been accessed and that there isn’t a proof of knowledge being modified inside its inner methods.
How the third-party compromise unfolded
Shortly earlier than disclosure, a risk actor utilizing the alias Indra claimed accountability for the breach on a hacker discussion board, alleging possession of roughly 37.8 million person data in addition to 1000’s of buyer assist tickets and attachments.
Though these claims haven’t been independently verified, the figures intently align with the corporate’s public notification.
Unconfirmed studies point out that the compromised group might have been a Tunis-based subcontractor offering buyer assist providers, and that the intrusion might have concerned a Zendesk setting.
Why buyer assist knowledge is in danger
Even with out passwords, customer support data could be extremely exploitable. Help tickets usually include contextual particulars comparable to:
- Order numbers.
- Billing inquiries.
- Transport addresses.
- Account confirmations.
- Troubleshooting exchanges.
Armed with this data, attackers can craft extremely convincing phishing emails or impersonation makes an attempt that reference legit transactions or prior communications. The contextual accuracy lowers person suspicion and will increase the probability of profitable social engineering, probably resulting in credential harvesting, monetary fraud, or further compromise.
In response to the incident, ManoMano stated it revoked the subcontractor’s entry to buyer knowledge, strengthened entry controls and monitoring mechanisms, and notified French regulators, together with the CNIL and ANSSI.
The corporate added that its investigation stays ongoing and that further technical particulars concerning the incident haven’t but been launched.
Managing third-party safety threat
As organizations enhance their reliance on SaaS platforms and third-party service suppliers, vendor threat administration ought to be built-in into broader safety operations relatively than dealt with solely as a compliance requirement.
Decreasing publicity requires a mixture of technical safeguards, clear governance constructions, and well-defined response processes.
- Implement least-privilege and just-in-time entry for third events, require multi-factor authentication, validate system posture, and handle privileged accounts via centralized entry controls.
- Constantly monitor SaaS environments by logging API exercise, reviewing tokens and OAuth grants, deploying SaaS safety posture administration (SSPM) instruments, and alerting on irregular entry or bulk knowledge exports.
- Decrease and section vendor-accessible knowledge by limiting the variety of shared datasets, making use of tokenization or pseudonymization, and implementing field-level encryption the place applicable.
- Strengthen contractual and governance controls by requiring well timed breach notification, validating safety attestations comparable to SOC 2 Sort II, sustaining right-to-audit clauses, and verifying vendor cyber insurance coverage protection.
- Implement knowledge loss prevention (DLP), cloud entry safety dealer (CASB), and egress monitoring controls to detect and limit unauthorized mass knowledge extraction.
- Put together for downstream phishing and fraud dangers by implementing DMARC, DKIM, and SPF, monitoring for model impersonation, and elevating fraud-detection thresholds.
- Repeatedly check incident response plans and construct playbooks round third-party compromise eventualities.
The ManoMano incident highlights how third-party suppliers can create significant threat publicity, even when a company’s main methods usually are not immediately compromised.
As firms rely extra closely on interconnected SaaS platforms and repair companions, distributors are more and more enticing targets due to the quantity of centralized buyer knowledge they handle.
Editor’s be aware: This text initially appeared on our sister web site, eSecurityPlanet.
