Full Report
Crooks claim they helped themselves to over 37M accounts during January hit on subcontractor French online marketplace ManoMano is warning customers their personal data was siphoned off after a cyberattack hit one of its customer support subcontractors – and criminals are already claiming the haul is far larger than the company's carefully worded notice suggests.…
Analysis Summary
# Incident Report: ManoMano Subcontractor Data Breach
## Executive Summary
In January 2026, ManoMano, a French online DIY marketplace, experienced a data breach through a compromise of one of its third-party customer support subcontractors. The incident resulted in the unauthorized download of personal data belonging to numerous customers. While ManoMano is investigating, threat actors are claiming responsibility for exfiltrating data relating to over 37 million user accounts, prompting warnings about potential phishing activities.
## Incident Details
- **Discovery Date:** Sometime after the attack in January 2026, resulting in user notification.
- **Incident Date:** January 2026
- **Affected Organization:** ManoMano (via its subcontractor)
- **Sector:** E-commerce / Online Marketplace (DIY/Home Improvement)
- **Geography:** Europe (Affecting customers in France, Spain, Italy, Germany, and the UK)
## Timeline of Events
### Initial Access
- **Date/Time:** January 2026
- **Vector:** Compromise of an agent account belonging to a customer support subcontractor.
- **Details:** Attackers gained access to the systems of a third-party customer service provider utilized by ManoMano. Unconfirmed reports suggest the vector may have been the widely used Zendesk support platform.
### Lateral Movement
- **Details:** The attack appears to have focused on data extraction from the subcontractor's agent account, suggesting the necessary network access or privileges were present within that environment to aggregate customer records.
### Data Exfiltration/Impact
- **Details:** "Illegal data extraction" was carried out from one of the subcontractor's agents' accounts. Threat actors ("Indra") claim to have exfiltrated data for approximately 37.8 million user accounts, totaling 43 GB of data, including 935,000 after-sales service tickets and 13,500 attachments.
### Detection & Response
- **Details:** ManoMano was alerted to the incident, leading to an internal investigation. The company immediately took protective measures.
- **Response Actions:** The compromised account was blocked the same day it was discovered, and all subcontractor access to customer data was revoked. The incident was reported to CNIL (France’s data protection watchdog) and ANSSI (the national cybersecurity agency).
## Attack Methodology
- **Initial Access:** Compromise of an agent account on a third-party support platform (potential vector: Zendesk).
- **Persistence:** Not explicitly stated, but implies the compromised agent privileges were sufficient for the duration of the data collection.
- **Privilege Escalation:** Not explicitly stated, but the access level allowed for the large-scale extraction of customer records and support tickets.
- **Defense Evasion:** Not explicitly stated, but the persistence within the third-party environment allowed for undetected data extraction.
- **Credential Access:** Likely targeted credentials associated with the agent account at the subcontractor.
- **Discovery:** Likely internal reconnaissance within the subcontractor's environment to identify valuable customer data stores.
- **Lateral Movement:** Limited scope described; movement focused on aggregating the target data within the subcontractor's network segment.
- **Collection:** Gathering of customer profile data, contact information, and support ticket history.
- **Exfiltration:** Unauthorized download of data, totaling approximately 43 GB.
- **Impact:** Data theft leading to potential phishing and identity fraud risks for affected customers.
## Impact Assessment
- **Financial:** Not disclosed, but costs associated with regulatory compliance, remediation, and customer notification will be incurred.
- **Data Breach:**
* **Volume:** Claimed 37.8 million user accounts.
* **Data Types:** First and last names, email addresses, phone numbers, and potential customer service exchanges/records. Passwords were **not** affected.
- **Operational:** Disruption stemming from the need to sever access for the compromised subcontractor and conduct forensic investigation.
- **Reputational:** Negative publicity from the breach and the discrepancy between the company's statement and the attackers' claims regarding the sheer volume of compromised data.
## Indicators of Compromise
*Note: No specific technical IoCs (IPs, hashes) were provided in the source text.*
- **Network Indicators:** Unknown compromised external access methods used against the subcontractor's infrastructure.
- **File Indicators:** Claimed 43 GB data archive containing PII and support tickets.
- **Behavioral Indicators:** Unauthorized bulk data extraction activity observed originating from a legitimate agent account used for customer support activities.
## Response Actions
- **Containment:** Immediate blocking of the single compromised subcontractor agent account.
- **Eradication:** Revocation of *all* access rights held by the affected subcontractor to ManoMano customer data.
- **Recovery:** Not detailed, but focused on secure re-establishment of support channels and customer reassurance.
## Lessons Learned
- **Third-Party Risk Management is Critical:** A single compromise within a subcontractor environment can lead to catastrophic impacts across the primary organization’s customer base.
- **Data Minimization:** The subcontractor possessed a high volume of sensitive PII, suggesting that data access policies may have been too permissive.
- **Public Narrative Disparity:** Discrepancies between internal findings and external claims (by threat actors) need rapid context management.
## Recommendations
- **Immediate:** Conduct a comprehensive audit of security posture and data access controls for all critical third-party vendors, especially those handling customer service/support data.
- **Vendor Segmentation:** Ensure subcontractors operate within highly segmented environments, limiting their access strictly to the resources required for their defined tasks (Zero Trust principles applied to vendor access).
- **Stronger Authentication:** Review MFA enforcement and session management protocols for all third-party agents accessing integrated systems (e.g., Zendesk integration points).