European home improvement marketplace ManoMano has confirmed a massive data breach affecting 37.8 million customer accounts after hackers compromised a third-party customer service provider. The breach, which surfaced on cybercriminal forum BreachForums, represents one of the largest retail data exposures of 2026.
The Breach: Third-Party Call Center Compromised
A threat actor using the handle “Indra” posted the stolen data on BreachForums, claiming to have exfiltrated approximately 43 GB of data extracted from Zendesk, ManoMano’s customer support platform. The haul includes:
- 37.8 million user account records
- 935,000 after-sales service tickets
- More than 13,500 attachments
- Customer data spanning France, Spain, Italy, United Kingdom, and Germany
The attack vector traced back to a third-party call center based in Tunisia. Attackers reportedly compromised a workstation belonging to one of the service agents, gaining access to the Zendesk backend that ManoMano uses to manage customer interactions.
Crisis Response: Emergency Relocation to Madagascar
Following the breach, ManoMano was forced to execute an emergency repatriation of its entire customer service department to ADM Value in Madagascar. The company also engaged Burson, a renowned press agency, to manage communications around the incident.
While ManoMano officially acknowledged only “thousands of customers” affected in its public statements, the evidence posted by the threat actor suggests the actual scope is orders of magnitude larger.
Why This Matters
This breach highlights several critical security concerns:
- Third-Party Risk: ManoMano’s security posture was ultimately undermined by a vendor’s compromised workstation, demonstrating how supply chain security extends to every contractor handling customer data.
- Zendesk as an Attack Vector: Customer service platforms like Zendesk aggregate vast amounts of sensitive information, making them high-value targets for attackers.
- Cross-Border Data Impact: With customer records spanning five European countries, this breach triggers complex regulatory obligations under GDPR, potentially exposing ManoMano to significant fines.
- Transparency Gap: The disparity between ManoMano’s public acknowledgment (“thousands”) and the actual scope (37.8 million) raises questions about corporate breach disclosure practices.
What Exposed Data Could Enable
The stolen data creates significant risks for affected customers:
- Targeted Phishing: Attackers can craft convincing phishing campaigns using purchase history and support ticket context
- Identity Fraud: Personal details combined with purchase information provide fodder for social engineering
- Credential Stuffing: Email addresses can be cross-referenced against other breaches for credential reuse attacks
- Warranty/Return Fraud: Support ticket attachments may contain order details enabling fraudulent claims
Action Items
Organizations should take this breach as a wake-up call to:
- Audit Third-Party Access: Review all vendors with access to customer data platforms
- Implement Zero-Trust for Support Systems: Apply least-privilege access controls to customer service tools
- Monitor Dark Web: Proactively scan for company and customer data on cybercriminal forums
- Strengthen Vendor Security Requirements: Mandate security standards for offshore service providers
ManoMano, founded in 2013 and valued as a French unicorn startup, operates in six European markets. This incident follows previous controversies around the company’s “Manodvisors” program, where customers were allegedly incentivized to write positive reviews.
