38 Million Europeans Had Their Emails and Phone Numbers Stolen—Via a Customer Support App

In January 2026, a threat actor operating under the alias "Indra" breached a customer support service provider used by ManoMano—a French e-commerce marketplace serving 50 million monthly visitors across six European countries. By the time ManoMano discovered the intrusion and began notifying affected customers in late February, the attacker had extracted personal data on 37.8 million accounts.

The stolen data included full names, email addresses, telephone numbers, and records of customer service communications. No passwords were compromised. No payment data was taken. And ManoMano's own systems were not breached at all.

That last point is the story. ManoMano was hacked through a company it hired to run its customer support helpdesk. The attacker never touched ManoMano's infrastructure. They didn't need to.

How a Subcontractor Became the Weakest Link

The attack vector was a Zendesk account belonging to a customer support service provider operating out of Tunis. The provider had been granted access to ManoMano's customer data as part of its role handling support tickets. When Indra compromised that provider's account, they gained access to years of customer records—not through a sophisticated technical exploit, but through a single set of legitimate credentials at a vendor.

ManoMano moved quickly once the breach was detected: the compromised account was disabled, the subcontractor's access was revoked, and both CNIL (France's data protection authority) and ANSSI (the national cybersecurity agency) were notified. The company also alerted the Cyber Emergency Île-de-France platform.

But the data had already left. Thirty seven million eight hundred thousand records of customer contact information, sitting in a searchable database that Indra had already copied.

The Third Party Breach Pattern

The ManoMano breach is not unusual. It follows a well-documented pattern that has defined some of the largest data exposures of the past several years: attackers targeting the vendors, processors, and service providers that hold customer data on behalf of larger companies rather than attacking the companies directly.

The logic is straightforward. Large enterprises invest heavily in their own security. Their vendors—the smaller companies that handle specific functions like customer support, payment processing, or HR software—often do not. And those vendors have contractual access to exactly the data that attackers want.

In 2025, a similar attack pattern affected Discord, where attackers breached a third party customer support provider and accessed millions of support tickets. The Ticketmaster breach that exposed 560 million records ran through a cloud data provider. The Snowflake campaign that compromised dozens of companies in mid-2024 operated the same way: attackers harvested credentials for the shared infrastructure that companies rely on rather than targeting each company individually.

Customer support systems are a particularly attractive target. They are designed to aggregate customer data in a searchable, exportable format. They are accessed by third party vendors whose security posture varies widely. And they often contain not just contact information but detailed records of every interaction a customer has had with a company—complaints, purchase histories, account details.

What 38 Million Stolen Records Actually Mean

Names, email addresses, and phone numbers might seem like low-grade data compared to payment information or Social Security numbers. But they are precisely what attackers need for the next step: targeted phishing.

With a confirmed list of ManoMano customers—people who buy home improvement products, tools, and gardening supplies across Europe—a threat actor can craft highly specific phishing emails. A message referencing a recent order, a delivery issue with a specific product category, or a promotional offer tailored to a customer's purchase history will not look like generic spam. It will look exactly like a legitimate communication from a company the recipient has actually used.

The phone numbers add another attack surface: SMS phishing, or direct voice calls pretending to be customer service. ManoMano has warned customers to remain vigilant against phishing and social engineering attempts. That warning is appropriate, but the scale means the data will circulate on criminal forums for years.

The GDPR Dimension

Under GDPR, ManoMano had 72 hours to notify CNIL after becoming aware of the breach. The company appears to have met that obligation. CNIL now has the authority to investigate whether ManoMano had adequate contractual protections and oversight in place for its third party data processors—under Article 28 of GDPR, data controllers are responsible for ensuring that processors they appoint apply appropriate technical and organizational security measures.

Whether a compromised support provider in Tunis constitutes adequate oversight under that standard is a question regulators will likely examine. France's data authority has shown a willingness to issue significant fines: in January 2026, CNIL fined Free Mobile €27 million and its parent Free €15 million following a breach that exposed 24 million subscriber records. France Travail received a €5 million fine the same month.

A breach affecting 38 million people through an inadequately secured vendor would represent a significantly larger scale of harm.

What Companies Should Be Doing Differently

The ManoMano breach illustrates a specific failure mode: excessive trust in third party access credentials without adequate monitoring. Indra accessed a support provider account to extract data, and that access appears to have gone undetected for weeks.

The controls that would have limited the damage are not exotic. Limiting the volume of records accessible through any single vendor account, monitoring for bulk data exports from support systems, requiring multi factor authentication for vendor access, and conducting regular audits of which third parties hold access to what data are all standard recommendations. In this case, none of them appears to have been sufficient.

For the 37.8 million affected customers, the immediate risk is targeted phishing. The advice is the same as it has always been: be skeptical of any communication referencing your account, especially if it asks you to click a link, provide credentials, or call a phone number. The data is out. The attacks that follow will be more convincing than most people expect.