Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

ManoMano data breach impacted 38 Million customer accounts

European DIY platform ManoMano suffered a data breach via a third-party provider, exposing personal data of 38 million customers. European DIY e-commerce platform ManoMano disclosed a major data breach affecting 38 million customers. Hackers accessed personal information by compromising a third-party service provider, prompting notifications and potential security measures for impacted users across multiple countries. […]

ManoMano

European DIY platform ManoMano suffered a data breach via a third-party provider, exposing personal data of 38 million customers.

European DIY e-commerce platform ManoMano disclosed a major data breach affecting 38 million customers. Hackers accessed personal information by compromising a third-party service provider, prompting notifications and potential security measures for impacted users across multiple countries.

ManoMano is a European e-commerce platform specializing in DIY, home improvement, gardening, and tools. Founded in 2013, it connects consumers with a wide range of products—from power tools and plumbing supplies to outdoor furniture and gardening equipment—offered by multiple sellers, including brands and independent retailers.

ManoMano confirmed to BleepingComputer that it discovered a security breach in January 2026 affecting 38 million customers. The incident involved a third-party service provider, whose unauthorized access led to the extraction of personal data linked to customer accounts and service interactions. The company has notified affected users and is investigating the scope of the compromise.

“In January 2026, we identified unauthorized access linked to this provider, which resulted in the unauthorized extraction of certain personal data associated with customer accounts and customer service interactions.” the company told BleepingComputer.

According to the data breach notification sent to the impacted customers, the exposed data includes: first name, last name, email address, telephone number, and your eventual interactions with our customer service.

The company pointed out that user passwords were not compromised.

Upon detecting the breach, the company immediately blocked the compromised account and revoked the subcontractor’s access. Enhanced data access controls were implemented internally and for all subcontractors. Authorities, including CNIL, ANSSI, and the Cyber Emergency Île-de-France platform, were informed to ensure proper oversight and response.

“As soon as the incident was identified, we immediately took all necessary measures to protect your data.

The analyses conducted by our cyber security teams allowed for the quick identification of the compromised account, which was blocked on the same day the incident was discovered. Subsequently, we revoked all of our subcontractor’s access to our customers’ data.” reads the data breach notification sent to the impacted users.

“We have also implemented reinforced controls on data access, both within our company and at our other subcontractors. Finally, we informed the CNIL (French National Commission for Information Technology and Civil Liberties), the ANSSI (French National Agency for the Security of Information Systems) and the Cyber Emergency Île-de-France platform.”

In February, a threat actor using the alias “Indra” claimed responsibility for the data breach, allegedly holding data on 37.8 million users, including support tickets.

The investigation into the incident is still ongoing.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)