ManoMano Data Breach Exposes 38 Million Customer Records via Subcontractor Compromise

ManoMano, a French DIY and home improvement e-commerce marketplace, reports a massive data breach in January 2026 after the compromise of a third-party customer service provider. 

The breach originated from a Tunis-based customer support subcontractor that reportedly suffered a compromise within its Zendesk environment. An alias 'Indra' claimed responsibility for the attack on BreachForums, asserting they stole a dataset from multiple European markets.

ManoMano has not named the subcontractor. The attackers likely exploited the subcontractor's legitimate access privileges to the centralized customer management system to scrape records systematically.

The compromised data includes:

• Full names
• Email addresses
• Phone numbers
• 935,000 after-sales service tickets
• 13,500 file attachments
• Customer service communications and chat logs

The number of affected individuals is 38,000,000. ManoMano claims that account passwords were not accessed and internal systems were not affected.

ManoMano disabled the compromised account and revoked all subcontractor access to customer data. The company reportedly moved its customer service operations to another provider. ManoMano engaged external security experts to manage the incident response and began notifying affected users across France, Spain, Italy, Germany, and the United Kingdom.

The incident was reported to the Commission N§ationale de l'Informatique et des Libertés (CNIL) and the National Cybersecurity Agency of France (ANSSI).