38 million. That's the number of customer records a hacker going by the alias "Indra" claims to have walked off with from French online DIY marketplace ManoMano in January 2026. The company's official disclosures have been considerably more measured in tone, but the scale of the alleged compromise is hard to wave away.
As reported by The Register, ManoMano began notifying customers this week that a cyberattack had hit one of its customer service subcontractors, resulting in what the company described as "the unauthorized download of personal data associated with your customer account." The retailer said its cybersecurity teams traced the intrusion to a single compromised agent account held by the subcontractor, which was blocked on the day the incident was discovered.
The exposed data is the kind that keeps fraud teams busy for months: full names, email addresses, phone numbers, and the contents of any exchanges customers had with ManoMano's support department. The company was careful to stress that account passwords were not accessed and that no data on its own systems was modified. Cold comfort for tens of millions of people whose contact details are now potentially in criminal hands.
What the official notice doesn't fully address
Here's the thing: ManoMano's carefully worded notification and the picture being painted on cybercriminal forums tell rather different stories. According to BleepingComputer, the company confirmed to the outlet that roughly 38 million individuals are affected, a number that dwarfs any sense the initial notification gave of a contained, limited incident. On BreachForums, "Indra" claims possession of 37.8 million user records, more than 935,000 after-sales service tickets, and over 13,500 file attachments, totalling approximately 43 GB of data spanning ManoMano's operations in France, Spain, Italy, Germany, and the United Kingdom.
ManoMano has not identified its compromised subcontractor by name. Unconfirmed reports, however, point to Zendesk, the customer support platform with a well-documented history of security incidents, as the likely attack vector. A Tunis-based customer support provider is reported to have been the entry point. Whether that identification proves accurate, the pattern is familiar: a large company outsources customer-facing functions to reduce costs, and the security controls governing that third party turn out to be the weakest link in a very long chain.
ManoMano is no small operator. According to SecurityWeek, the Paris-based platform draws more than 50 million unique monthly visitors, connecting DIY and home improvement buyers with verified merchants across five European markets. A breach affecting 38 million of those customers is, by any measure, one of the larger retail-sector data exposures seen in Europe in recent memory.
The third-party risk problem is not going away
There is a legitimate commercial logic to outsourcing. Customer support operations are expensive to staff internally, and specialist providers offer scale and language capability that most e-commerce companies cannot replicate in-house. No serious analyst would argue that outsourcing itself is inherently reckless.
But the ManoMano incident illustrates a problem that has become almost routine in major data breaches: the principal company's own systems remain untouched, while a subcontractor sitting on a vast pool of customer data operates under far less scrutiny. In this case, a single compromised agent account at a third-party firm appears to have been sufficient to extract the personal details of tens of millions of people. The question is not whether to outsource, but whether companies are applying the same security expectations to their vendors as they apply internally. Audit rights, data minimisation requirements, and real-time egress monitoring are not exotic demands; they are basic governance that the ManoMano breach suggests were either absent or insufficient.
Advocates for stronger regulatory oversight of supply chain security will find plenty of ammunition here. The EU's NIS2 Directive, which came into force in late 2024, imposes stricter requirements on essential and important entities regarding third-party risk management. Whether ManoMano's arrangements with its support providers met those obligations will likely attract regulatory attention, given the company has already notified France's data protection authority, the CNIL, and the national cybersecurity agency, ANSSI.
What customers should do now
ManoMano has urged affected customers to be alert to phishing emails, SMS scams, and phone-based impersonation attempts. Given that attackers now hold names, phone numbers, and the specifics of past customer service interactions, they have the raw material to craft highly convincing personalised fraud attempts. A scammer who knows you recently filed a warranty dispute over a power drill is far more persuasive than one working from a generic script.
Customers should verify the origin of any unexpected contact claiming to be from ManoMano, avoid clicking links in unsolicited messages, and monitor bank accounts for unusual activity. Those who reused their ManoMano email and password combination on other platforms should change those passwords immediately, even though the company says passwords were not directly taken in this breach.
The broader lesson here is one that businesses of all sizes, from multinationals to local operators, cannot afford to ignore. Outsourcing a function does not outsource the accountability that comes with holding other people's data. The cost savings from cheap offshore customer support quickly evaporate when weighed against the reputational and regulatory consequences of a breach at this scale. Getting third-party vendor security right is not a compliance box-tick; it is a core business obligation. The evidence from incident after incident is that too many companies are still treating it as the former.