leaksear.ch has indexed 104,858,217 records from a Zara data leak dated April 22, 2026, involving emails, country data and purchase related fields (leaksear.ch metadata). Public reporting and Have I Been Pwned describe a narrower confirmed people count, about 197,400 unique email addresses, and say Inditex told media that passwords and payment information were not affected (haveibeenpwned.com, www.bleepingcomputer.com).
What happened
Inditex, Zara's parent company, said on April 16, 2026 that it had identified unauthorized access to third-party-hosted databases containing information on customer transactions. The company said the breach stemmed from a security incident at a former technology provider, that it had started notifying authorities, and that the databases did not contain addresses, passwords or bank card details (www.marketscreener.com).
ShinyHunters later claimed the Zara leak and Hackread reported that the group published Zara and 7-Eleven listings on April 22, 2026 as part of a pay-or-leak campaign. Hackread said the Zara listing referenced BigQuery instances and Anodot as an entry point, while Have I Been Pwned also described Zara as one of several organizations targeted in a ShinyHunters pay-or-leak campaign tied to an alleged Anodot analytics platform compromise (hackread.com, haveibeenpwned.com).
The leaksear.ch metadata attributes the indexed set to ShinyHunters' April 22 publication and describes compromised Anodot analytics-platform authentication tokens used to exfiltrate about 140 GB of customer support tickets, ecommerce orders, newsletter subscriptions and product-catalog data from Zara BigQuery instances (leaksear.ch metadata). BleepingComputer separately reported that ShinyHunters claimed a 140 GB archive was taken from BigQuery instances using compromised Anodot authentication tokens, while noting that Inditex had not publicly attributed the incident to a specific threat actor or named the provider (www.bleepingcomputer.com).
What data was exposed
In the leaksear.ch index, the searchable pivots are country and email (leaksear.ch metadata). Other stored fields are purchase or merchandising fields, including first purchase date and month, fiscal year of first purchase, date and country IDs, euro amount, ranking and units (leaksear.ch metadata).
Public breach descriptions add unique email addresses, geographic locations, purchases and support ticket data, including product SKUs, order IDs and the market where the support ticket originated (haveibeenpwned.com, www.bleepingcomputer.com). The public sources reviewed here do not support claims that names, phone numbers, postal addresses, passwords or payment card data were included in this leak (www.bleepingcomputer.com, www.marketscreener.com).
Why this matters
Email addresses paired with order, product and support-ticket context can make fake refund, delivery, account-support and loyalty-program messages more convincing. Cybernews similarly noted that the breach could give attackers a sharper phishing playbook by tying customer identities to real orders and complaints (cybernews.com).
For security teams, the practical work is customer-facing: monitor brand impersonation, validate support and notification domains, and prepare guidance for people who may receive messages referencing Zara orders. If you have used Zara online, use the check below to see whether your email or country appears in this indexed leak.
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include country and email.
Sources
- Have I Been Pwned: Zara Data Breach
- BleepingComputer: Zara data breach exposed personal information of 197,000 people
- Hackread: ShinyHunters Leaks Data of Udemy, Zara, 7-Eleven in Salesforce Linked Breach
- MarketScreener: Zara owner Inditex reports unauthorised access to transaction databases
- Cybernews: Zara data breach exposes 200K customers after alleged ransomware attack