French DIY etailer ManoMano admits customer data stolen
Crooks claim they helped themselves to over 37M accounts during January hit on subcontractor
Updated French online marketplace ManoMano is warning customers their personal data was siphoned off after a cyberattack hit one of its customer support subcontractors – and criminals are already claiming the haul is far larger than the company's carefully worded notice suggests.
In a letter sent to affected users, seen by The Register, ManoMano said it was informed that a customer service provider was hit by a cyberattack in January 2026 that led to "the unauthorized download of personal data associated with your customer account." The company said its investigation found that "an illegal data extraction was carried out from the account of one of our subcontractor's agents."
The exposed data includes first and last names, email addresses, phone numbers, and "any potential exchanges you may have had with our customer service department." ManoMano stressed that "your password is not affected" and that customer data "remains intact and has not been modified."
ManoMano hasn't named the hacked subcontractor, but unconfirmed reports claim the vector for the attack was Zendesk, the widely used – and frequently targeted – support platform.
Zendesk said of the incident that its "platform was not compromised." It added: "The incident was a localized matter involving compromised credentials and occurred entirely outside the Zendesk platform. It did not result from any vulnerability or security failure within Zendesk's infrastructure.
"Zendesk maintains robust security controls and follows industry best practices. Zendesk confirms that it takes data security obligations extremely seriously and it is cooperating fully with relevant stakeholders, and will continue to act transparently and responsibly in relation to data protection matters."
Meanwhile, over on BreachForums, a user calling themselves "Indra" is claiming responsibility for the ManoMano breach and is boasting about a dataset far larger than anything the retailer has publicly confirmed, alleging tens of millions of user records were swept up in the breach.
The actor alleges access to 37.8 million user accounts totaling roughly 43 GB of data, along with 935,000 after-sales service tickets and more than 13,500 attachments. The claimed haul reportedly spans multiple European markets, including France, Spain, Italy, Germany, and the UK.
- Wynn Resorts takes attacker's word for it that stolen staff data was deleted
- Korean cops charge teens over bike hire breach that exposed data on 4.62M riders
- UK council faces data breach claim after mishandling trans complaints
- PayPal app code error leaked personal info and a 'few' unauthorized transactions
In its notification, the retailer said it "immediately took all necessary measures to protect your data," blocked the compromised account the same day it was discovered, and "revoked all of our subcontractor's access to our customers' data." It also reported the incident to France's data protection watchdog, CNIL, and the national cybersecurity agency, ANSSI.
The company warned that the stolen information could be used in phishing or impersonation attempts and advised customers to "remain particularly vigilant for potential fraud attempts."
The company is a dedicated third-party marketplace that hooks up DIY and home improvement buyers with verified merchants. It facilitates sales for various sellers across Europe.
While ManoMano is framing the breach as a subcontractor incident, the alleged scale of the compromise suggests the subcontractor had access to a substantial volume of customer data. ®
Update
Updated on March 2 to add Zendesk statement.
Biting the hand that feeds IT
