European DIY and home improvement marketplace ManoMano has confirmed a large-scale data breach affecting approximately 38 million customers, after threat actors exploited a vulnerability tied to one of the company’s third-party service providers.

Incident Summary

ManoMano, a prominent French e-commerce platform with operations across multiple European countries and roughly 50 million monthly visitors, discovered the breach in January 2026 and began notifying affected users this month.

Company communications and notifications to users confirm that unauthorized access stemmed from the compromise of a third-party customer service subcontractor’s environment, which held credentials and access to ManoMano’s support systems.

How the Attack Occurred

While ManoMano has not publicly named the specific vendor, multiple security sources indicate the intrusion originated through a compromised Zendesk customer support instance operated by a Tunisian-based subcontractor.

A threat actor using the alias “Indra” posted claims on underground hacking forums stating they extracted around 43 GB of data, encompassing ~37.8 million user accounts, over 900,000 support tickets, and more than 13,000 attachments tied to customer support communications—though these exact figures have not been independently verified by the company.

What Data Was Exposed

According to ManoMano’s breach notices shared with media:

• Full names (first and last)
• Email addresses
• Telephone numbers
• Customer support interactions and communications

Crucially, passwords were not accessed, and there is no evidence that account credentials stored on ManoMano’s primary systems were altered or exfiltrated.

Company Response and Mitigation Efforts

Upon detection of the unauthorized access, ManoMano stated it took the following steps:

• Disabled the compromised access channel
• Revoked the subcontractor’s credentials
• Implemented enhanced access controls and monitoring
• Notified relevant regulatory authorities, including French data protection watchdog CNIL and the national cybersecurity agency ANSSI

Customers were advised to remain vigilant for phishing attempts and fraudulent communications using the stolen data, as exposed names and emails could be leveraged in social engineering scams.

Geographic Scope and Regulatory Impact

The breach affects customers across France, Germany, Italy, Spain, the United Kingdom, Belgium and other markets where ManoMano operates, reflecting the company’s pan-European footprint.

Given the scale of the incident and the complex cross-border nature of data protection under the EU’s General Data Protection Regulation (GDPR), ManoMano may face regulatory scrutiny and reporting obligations in multiple jurisdictions.

Broader Context

This breach underscores a growing trend in cybersecurity: vendor and supply chain compromises are becoming one of the leading vectors for large-scale data exposures. Attackers increasingly target external service providers to gain indirect access to larger organizations’ data stores, particularly customer support platforms that aggregate sensitive personal information.