editorially independent. We may make money when you click on links
to our partners.
Learn More
European online DIY giant ManoMano is notifying roughly 38 million customers after threat actors compromised a third-party customer service provider, exposing personal data tied to user accounts and support interactions.
The incident, discovered in January 2026, underscores the persistent risk posed by supply chain and vendor-based breaches.
“We can confirm that ManoMano has recently notified customers about a security incident involving one of our third-party customer service providers (a subcontractor),” the company told BleepingComputer.
Inside the ManoMano Data Breach
ManoMano is one of Europe’s largest online marketplaces for DIY, gardening, and home improvement products, operating across France, Belgium, Spain, Italy, Germany, and the United Kingdom.
The platform draws roughly 50 million unique monthly visitors, and with nearly 38 million individuals affected, the breach stands as one of the more significant retail-sector data exposures in Europe in recent months.
According to BleepingComputer, the scope of compromised data varies depending on a customer’s interaction with the platform.
Exposed information may include full names, email addresses, phone numbers, and customer service communications.
ManoMano stressed that no account passwords were accessed and that there is no evidence of data being modified within its internal systems.
How the Third-Party Compromise Unfolded
Shortly before disclosure, a threat actor using the alias Indra claimed responsibility for the breach on a hacker forum, alleging possession of approximately 37.8 million user records as well as thousands of customer support tickets and attachments.
Although these claims have not been independently verified, the figures closely align with the company’s public notification.
Unconfirmed reports indicate that the compromised organization may have been a Tunis-based subcontractor responsible for providing customer support services, and that the intrusion could have involved a Zendesk environment.
Why Customer Support Data Is High Risk
Even without passwords, customer service records can be highly exploitable.
Support tickets often contain contextual details such as order numbers, billing inquiries, shipping addresses, account confirmations, and troubleshooting exchanges.
Armed with this information, attackers can craft highly convincing phishing emails or impersonation attempts that reference legitimate transactions or prior communications.
The contextual accuracy lowers user suspicion and increases the likelihood of successful social engineering, potentially leading to credential harvesting, financial fraud, or additional compromise.
In response to the incident, ManoMano said it revoked the subcontractor’s access to customer data, strengthened access controls and monitoring mechanisms, and notified French regulators including the CNIL and ANSSI.
The company added that its investigation remains ongoing, and additional technical details around the incident have not yet been released.
Managing Third-Party Security Risk
As organizations increase their reliance on SaaS platforms and third-party service providers, vendor risk management should be integrated into broader security operations rather than handled solely as a compliance requirement.
Reducing exposure requires a combination of technical safeguards, clear governance structures, and well-defined response processes.
- Enforce least-privilege and just-in-time access for third parties, require multi-factor authentication, validate device posture, and manage privileged accounts through centralized access controls.
- Continuously monitor SaaS environments by logging API activity, reviewing tokens and OAuth grants, deploying SaaS security posture management (SSPM) tools, and alerting on abnormal access or bulk data exports.
- Minimize and segment vendor-accessible data by limiting shared datasets, applying tokenization or pseudonymization, and enforcing field-level encryption where appropriate.
- Strengthen contractual and governance controls by requiring timely breach notification, validating security attestations such as SOC 2 Type II, maintaining right-to-audit clauses, and verifying vendor cyber insurance coverage.
- Implement data loss prevention (DLP), cloud access security broker (CASB), and egress monitoring controls to detect and restrict unauthorized mass data extraction.
- Prepare for downstream phishing and fraud risks by enforcing DMARC, DKIM, and SPF, monitoring for brand impersonation, and increasing fraud detection thresholds..
- Regularly test incident response plans and build playbooks around third-party compromise scenarios.
Together, these measures help organizations limit the blast radius of third-party incidents while strengthening overall operational resilience.
Why Vendors Are Prime Attack Targets
The ManoMano incident highlights how third-party providers can create meaningful risk exposure, even when an organization’s primary systems are not directly compromised.
As companies rely more heavily on interconnected SaaS platforms and service partners, vendors increasingly become attractive targets due to the volume of centralized customer data they manage.
Third-party incidents like this are prompting organizations to evaluate dedicated third-party risk management tools that provide greater visibility, continuous assessment, and control over vendor-related security exposure.
