ManoMano: Support-Portal Breach Exposes Millions of Customer Records
Context and chronology
ManoMano has disclosed a substantial data exposure centered on its customer‑support channel, with notices this week referencing an intrusion traced to January. Forensics and public postings point to a compromised third‑party support supplier rather than a direct failure of ManoMano’s storefront. An actor using the alias 'Indra' has posted artifacts and claims: roughly 37.8 million accounts and an estimated 43 GB of exported support records, including contact fields, support transcripts and attachments. Affected customer sets span ManoMano’s five European markets, producing immediate cross‑border notification and enforcement considerations.
Technical vector, corroborating tradecraft and scope
Available indicators point to access through a ticketing/help‑desk environment used by ManoMano’s support supplier; industry signals identify that mainstream cloud ticketing platforms are commonly present in such workflows. Comparable incidents tracked elsewhere add crucial context: some adversaries combine help‑desk compromise with endpoint infostealers and credential caches, while others pair social‑engineering (vishing) and real‑time session orchestration to defeat one‑time codes and MFA. That combined tradecraft increases the likelihood that exposed support transcripts and contact records will be weaponized for highly convincing targeted attacks and for credential‑stuffing campaigns using bulk credential caches discovered in underground repositories. Reported counts in the posted archive are large (>900,000 service tickets; >13,000 attachments) but remain subject to independent forensic verification; past incidents show actor‑claimed volumes can include aggregated, duplicated, or partially overlapping datasets.
Operational and detection lessons
Other recent breaches illustrate two contrasting operational realities: rapid service restoration is possible (as seen in unrelated IT‑distribution incidents) even while substantial exfiltration occurred prior to containment. That pattern implies detection and segmentation gaps in environments that permit data copying before isolation. For organizations relying on federated SSO and help‑desk workflows, defenders should treat session governance, telephony‑fraud signals, and endpoint telemetry as first‑order detection controls—not optional add‑ons. The combination of exposed contact data and external credential caches materially increases the probability of successful targeted vishing, MFA‑orchestration, and account‑takeover efforts.
Regulatory, market and customer impact
Expect accelerated EU data‑protection scrutiny and potential cross‑border coordination among authorities, given the multi‑market exposure. Downstream effects include increased fraud, higher remediation and notification costs, potential remediation demands from partners and payment vendors, and tighter vendor‑risk clauses. Insurance carriers will revisit incident scope during claims triage, which can influence future premiums for ecommerce firms using outsourced support services.
Tactical recommendations
Treat this as a supplier compromise that requires immediate, multi‑vector containment: revoke supplier access, rotate service credentials, isolate and snapshot affected support environments, and prioritize targeted password resets for high‑risk accounts. Revoke active sessions and consider forced re‑authentication for users with sensitive activity. Enforce least‑privilege on ticketing workflows, require stronger SLAs and audit rights with vendors, and accelerate adoption of phishing‑resistant authentication (hardware tokens or platform‑bound cryptographic MFA). Expand monitoring for telephony fraud, investigate potential use of credential caches in underground markets, and offer clear notifications and remediation options to affected customers. For long‑term resilience, mandate segmentation of support tooling from core customer data stores, deploy DLP around ticketing exports, and require contractual security attestations for subcontractors.
Read Our Expert Analysis
Create an account or login for free to unlock our expert analysis and key takeaways for this development.
By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.
Recommended for you
Ransomware strike at Ingram Micro exposes sensitive records of ~42,500 people
A July ransomware incident at Ingram Micro led to the theft of employment and applicant records for about 42,521 people and service outages that were largely resolved within a week. A threat actor later published roughly 3.5 TB of claimed data; the company is offering two years of identity protection while facing regulatory notification, legal exposure, and heightened supply‑chain scrutiny.
U.S. Panera Bread Customer Data Dumped After ShinyHunters Exploit Microsoft Entra SSO
ShinyHunters published a large archive of customer contact data it says was taken from Panera Bread after a failed extortion attempt, claiming about 5.1 million unique email addresses within an asserted 14 million-record haul. Researchers say the Panera intrusion matches a wider, telephone-based social-engineering trend—real-time vishing paired with browser phishing toolkits—and a separate unsecured infostealer cache of roughly 149 million credentials that together amplify risks of credential stuffing and targeted account takeover.
ApolloMD Data Breach Exposes PHI for Over 626,000 Individuals
A late‑May 2025 intrusion into ApolloMD’s systems led to the unauthorized access and copying of personally identifiable and clinical information for about 626,540 people, with some files containing Social Security numbers; the incident was later posted to a ransomware-linked leak site. ApolloMD reported the event to federal health authorities, began mailing breach notifications by September 2025 and is offering affected parties complimentary credit monitoring, highlighting broader third‑party risk in health data aggregation.
OpenAI: ChatGPT record exposes transnational suppression network
OpenAI released internal records showing a coordinated campaign using ChatGPT entries to run harassment and takedown operations against overseas critics. The disclosure links a large actor network — involving hundreds of operators and thousands of fake accounts — to real-world misinformation and platform abuse, sharpening regulatory and security pressures.
Massive 149M credential trove exposes risks from infostealer malware to crypto and government accounts
A researcher found a publicly accessible collection of roughly 149 million stolen logins harvested by credential-stealing malware, including hundreds of thousands tied to major crypto platforms and numerous government-related accounts. The exposure stems from infected end-user devices rather than platform breaches, but it raises urgent questions about account hygiene, phishing risk, and detection across the crypto and social-media ecosystems.
Conduent Breach Exposes Data for Nearly 17,000 Volvo Group Employees in the U.S.
A prolonged intrusion into Conduent’s systems has revealed personal and medical records tied to Volvo Group employees, with roughly 17,000 staff impacted and broader consumer exposure measured in the millions. State filings show the scope has swollen well beyond initial estimates, forcing a complex third‑party remediation and regulatory reporting challenge for affected companies.
UpGuard flags massive U.S. dataset containing billions of emails and Social Security numbers
Security researchers found a publicly exposed collection that listed roughly 3 billion email/password pairs and about 2.7 billion records containing Social Security numbers. The host took the dataset offline after notification, but a sampled review suggests hundreds of millions of SSNs could be valid and at risk of future exploitation.
Hackers Rapidly Exploit Critical BeyondTrust Remote-Access Flaw After PoC Emerges
A critical unauthenticated remote-code execution bug (CVE-2026-1731) in BeyondTrust Remote Support and Privileged Remote Access was probed and targeted within 24 hours of a public proof-of-concept, exposing thousands of internet-facing instances. Organizations should treat exposed BeyondTrust deployments as emergency patching and containment priorities, applying access restrictions, WAF/ACL rules, and focused threat-hunting while verifying remediation.