Executive Summary

In January 2026, ManoMano, a leading European e-commerce platform specializing in DIY, home improvement, and gardening products, detected unauthorized access to customer data via a third-party customer support service provider. The breach, which was publicly disclosed in late February 2026, impacted approximately 38 million individuals across France, Belgium, Spain, Italy, Germany, and the United Kingdom. The compromised data includes full names, email addresses, phone numbers, and customer service communications, but does not include account passwords or payment information. The incident originated from the compromise of a subcontractor’s Zendesk account, reportedly based in Tunis. Upon discovery, ManoMano immediately revoked the subcontractor’s access, implemented enhanced access controls, and notified relevant authorities, including CNIL and ANSSI. The threat actor, using the alias “Indra,” claimed responsibility for the breach on a hacker forum. The investigation is ongoing, and ManoMano has issued guidance to customers to remain vigilant against phishing and social engineering attempts. All information in this summary is directly supported by the referenced sources below.

Technical Information

The ManoMano data breach is a significant example of a third-party supply chain attack targeting the e-commerce sector. The breach was executed through unauthorized access to a subcontractor’s Zendesk account, a cloud-based customer support platform. This access enabled the exfiltration of sensitive customer data, including full names, email addresses, phone numbers, and customer service communications such as support tickets and attachments. No evidence has been found of malware deployment, exploitation of software vulnerabilities, or compromise of ManoMano’s core infrastructure. The attack relied on abusing legitimate credentials or session access, likely through phishing, credential stuffing, or session hijacking, although the precise method remains unconfirmed.

The threat actor, “Indra,” advertised possession of 37.8 million user records, 935,000 support tickets, and 13,500 attachments (approximately 43GB of data) on BreachForums. The actor’s tactics, techniques, and procedures (TTPs) align with financially motivated cybercriminals targeting SaaS platforms for large-scale data exfiltration and subsequent sale or leak of the data.

MITRE ATT&CK Mapping: The attack can be mapped to several MITRE ATT&CK techniques: - Valid Accounts (T1078): Use of legitimate credentials to access the Zendesk platform. - External Remote Services (T1133): Access via a cloud-based customer support platform. - Data from Information Repositories (T1213): Extraction of customer data and support tickets from Zendesk. - Exfiltration Over Web Service (T1567.002): Data exfiltrated via the SaaS platform. - Data Leak (T1537): Public disclosure and sale of stolen data on BreachForums.

The confidence level is high for the use of valid accounts and external remote services, based on direct statements from ManoMano and multiple independent sources. The confidence is medium for the exact technical mechanism of data extraction and exfiltration, as detailed technical artifacts have not been published.

No specific malware or custom tools have been identified in this incident. The attack appears to have relied solely on abusing legitimate access to the Zendesk SaaS platform. No technical indicators such as hashes or command-and-control infrastructure have been released by ManoMano or third-party investigators.

The breach underscores the risks associated with third-party service providers in the e-commerce sector, particularly those handling customer support and sensitive communications. Attackers are increasingly targeting vendors with privileged access to customer data, exploiting weaker security controls and the central role of SaaS platforms in aggregating sensitive information.

Regulatory notification requirements were triggered, with ManoMano informing French authorities CNIL (Commission Nationale de l'Informatique et des Libertés), ANSSI (Agence nationale de la sécurité des systèmes d'information), and the Cyber Emergency Île-de-France platform, in accordance with GDPR and national cybersecurity protocols.

Affected Versions & Timeline

The breach affected all customers whose data was processed by the compromised third-party customer support provider using Zendesk. This includes both consumer and professional users of ManoMano’s platforms across France, Belgium, Spain, Italy, Germany, and the United Kingdom. The exposed data varies per individual, depending on the nature of their interactions with customer service.

The verified incident timeline is as follows: In January 2026, ManoMano detected unauthorized access via the third-party provider. The compromised account was blocked on the same day the incident was discovered. In February 2026, the threat actor “Indra” claimed responsibility and advertised the breach on a hacker forum. Public disclosure and customer notifications began on February 26–27, 2026, as confirmed by BleepingComputer, SecurityAffairs, and TechRadar.

No evidence has been found of data modification or tampering within ManoMano’s core systems. The investigation remains ongoing, and the company has not disclosed additional technical details at this stage.

Threat Activity

The threat actor “Indra” claimed responsibility for the breach on BreachForums, stating possession of 37.8 million user records, 935,000 support tickets, and 13,500 attachments. The actor’s historical activity is not well-documented in open sources, and no prior high-profile incidents have been attributed to this alias. The TTPs observed—targeting SaaS support platforms, exfiltrating large customer datasets, and selling or leaking data on cybercrime forums—are consistent with financially motivated cybercriminals rather than state-sponsored advanced persistent threats (APTs).

The attack exploited the privileged access of a third-party subcontractor to the Zendesk platform, highlighting the growing trend of targeting supply chain partners with access to sensitive data. The breach has sector-wide implications for supply chain security and vendor risk management in e-commerce, emphasizing the need for robust access controls, continuous monitoring, and incident response capabilities.

Regulatory and compliance actions were promptly taken, with notifications sent to CNIL, ANSSI, and the Cyber Emergency Île-de-France platform. ManoMano has provided guidance to affected customers, advising vigilance against phishing and social engineering attempts, and recommending verification of incoming communications, monitoring of bank accounts for fraudulent transactions, and avoidance of suspicious links or attachments.

Mitigation & Workarounds

The following mitigation actions and workarounds have been implemented or recommended in response to the breach, prioritized by severity:

Critical: Immediate revocation of the compromised subcontractor’s access to customer data and blocking of the affected Zendesk account. Enhanced access controls and monitoring were implemented internally and for all subcontractors. Regulatory authorities were notified in accordance with GDPR and national cybersecurity requirements.

High: Ongoing investigation and forensic analysis to determine the full scope of the breach and identify any additional risks. Reinforcement of vendor risk management practices, including regular security assessments and audits of third-party service providers with access to sensitive data.

Medium: Issuance of customer notifications with guidance on identifying and avoiding phishing and social engineering attempts. Customers are advised to verify the authenticity of incoming communications, monitor financial accounts for suspicious activity, and avoid clicking on suspicious links or downloading attachments.

Low: Continued review and strengthening of internal security policies, employee training on supply chain risks, and periodic reassessment of SaaS platform configurations and access privileges.

No evidence has been found of compromised passwords or payment data; therefore, password resets and payment card monitoring are not currently required. However, customers should remain vigilant and report any suspicious activity to ManoMano or relevant authorities.

References

https://www.bleepingcomputer.com/news/security/european-dyi-chain-manomano-data-breach-impacts-38-million-customers/ https://securityaffairs.com/188582/data-breach/manomano-data-breach-impacted-38-million-customer-accounts.html?amp https://www.techradar.com/pro/security/manomano-data-breach-massive-diy-chain-incident-impacts-38-million-customers-heres-what-we-know https://www.theregister.com/2026/02/27/manomano_breach/ https://attack.mitre.org/techniques/T1078/ https://attack.mitre.org/techniques/T1133/ https://attack.mitre.org/techniques/T1213/ https://attack.mitre.org/techniques/T1567/002/ https://attack.mitre.org/techniques/T1537/

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with external vendors and service providers. Our platform enables continuous evaluation of vendor security posture, supports regulatory compliance efforts, and facilitates rapid response to supply chain incidents. For questions or further information, please contact us at ops@rescana.com.