PRODUCT threatspy Bulk IP/Domain Lookup SOLUTIONS By Industry Healthcare Education IT & Telecom By Role Government CISO/CTO DevSecOps RESOURCES Threat Feed Threat Research White Paper SB Blogs COMPANY Our Story Our Team Career Press And Media Contact Us Request Demo GIthub 3,800 GitHub Repos Breached via Poisoned VS Code Extension by TeamPCP GitHub confirms ~3,800 internal repos breached via poisoned VS Code extension. TeamPCP (UNC6780) sells stolen source code for $50,000 20-May-2026 7 min read No content available. Related Articles ZARA Zara data breach exposes 197,400 customers via ShinyHunters ransomware attack on... Hackers exposed data tied to roughly 200,000 Zara customers in an alleged ransomware attack. The retailer previously appeared on a leak site connected to the ShinyHunters Salesforce extortion campaign. The breach has since been precisely quantified — a new entry by the data-breach tracking platform HaveIBeenPwned (HIBP) confirmed that exactly 197,400 customers were exposed in the leak. ## INCIDENT TIMELINE **April 6, 2026 — Initial Intrusion via Third-Party Vector** In the April 6th Anodot attack, the ransomware gang was said to have used stolen authentication tokens from the _"SaaS integration provider"_ to access the sensitive data. When ransomware actors ShinyHunters broke into Anodot, they were able to access those integrations and steal files belonging to multiple companies. The attack specifically targeted Anodot's integration layer with Snowflake-hosted customer environments. **April 15–16, 2026 — Zara Listed on Dark Leak Site; Inditex Discloses Breach** ShinyHunters claimed to have breached Zara's networks through a previous compromise of the Israeli AI analytics firm Anodot as part of an attack wave earlier this month, posting Zara on its dark leak site and claiming to have hacked the company's _"BigQuery databases,"_ as part of a _"pay or leak"_ campaign — giving the company a deadline of April 21. Inditex, Zara's parent company and the world's largest fashion retailer, announced on April 16th it had been hit following a third-party breach involving one of its technology providers. **Post-April 21 Deadline — Ransom Refused; Data Dumped** After ignoring ShinyHunters' ransomware threats, the gang, as promised, dumped a large cache of data allegedly exfiltrated from Zara's networks. ## THREAT ACTOR PROFILE: ShinyHunters [ShinyHunters](https://www.secureblink.com/threat-research/shiny-hunters-decentralized-extortion-targets-cloud-saa-s-at-scale) is a sophisticated, financially motivated ransomware and data extortion group operating a "pay or leak" dark web model. In the current campaign, the group's operational scope extended well beyond Zara. Other [Salesforce](https://www.secureblink.com/cyber-security-news/inside-the-billion-record-extortion-blitz-hitting-salesforce-tenants) victims listed on the ransomware leak site include Canada Life Assurance Company (5.6M records), Pitney Bowes (25M records), Marcus & Millichap (30M records), and Aman Resorts (500K records). Notably, on June 25, 2025, French authorities announced the arrest of four alleged members of ShinyHunters across multiple regions of France. ## ATTACK VECTOR ANALYSIS: The Anodot–Snowflake Supply Chain The breach illustrates a textbook **third-party supply chain attack** — a threat model where adversaries bypass a target's hardened perimeter by compromising an upstream software or analytics provider. ShinyHunters [claims](https://www.secureblink.com/threat-research/shiny-hunters-decentralized-extortion-targets-cloud-saa-s-at-scale) Zara data was exposed through the Anodot compromise. The Anodot-linked attack wave hit [Snowflake](https://www.secureblink.com/cyber-security-news/snowflake-data-breaches-expose-millions-importance-of-mfa-highlighted) customer environments. By obtaining authentication tokens belonging to Anodot — rather than Inditex directly — the attackers effectively inherited whatever database access permissions Anodot held on behalf of its clients. This token-based lateral movement is a particularly dangerous technique because it bypasses credential-based perimeter controls entirely. ## DATA EXPOSURE: WHAT WAS COMPROMISED The group published a terabyte of data, allegedly including 95 million support ticket records. The data contained 197,400 unique email addresses alongside product SKUs, order IDs, and the market the support ticket originated in, according to HIBP. Inditex's own statement confirmed: the information of customers from different markets included customer email addresses, purchase history, order IDs, plus product and support ticket information. **What Was NOT Exposed:** The fashion powerhouse said names, surnames, telephone numbers, addresses, passwords, bank cards, or other payment methods were not exposed. ## DOWNSTREAM RISK ASSESSMENT While Inditex's containment statement is reassuring on its face, the exposed dataset carries meaningful secondary risks. The breach could give hackers a sharpe...