French online marketplace ManoMano is warning customers their personal data was siphoned off after a cyberattack hit one of its customer support subcontractors – and criminals are already claiming the haul is far larger than the company's carefully worded notice suggests.
In a letter sent to affected users, seen by The Register, ManoMano said it was informed that a customer service provider was hit by a cyberattack in January 2026 that led to "the unauthorized download of personal data associated with your customer account." The company said its investigation found that "an illegal data extraction was carried out from the account of one of our subcontractor's agents."
The exposed data includes first and last names, email addresses, phone numbers, and "any potential exchanges you may have had with our customer service department." ManoMano stressed that "your password is not affected" and that customer data "remains intact and has not been modified."
ManoMano hasn't named the hacked subcontractor, but unconfirmed reports claim the vector for the attack was Zendesk, the widely used – and frequently hacked – support platform.
Meanwhile, over on BreachForums, a user calling themselves "Indra" is claiming responsibility for the ManoMano breach and is boasting about a dataset far larger than anything the retailer has publicly confirmed, alleging tens of millions of user records were swept up in the breach.
The actor alleges access to 37.8 million user accounts totaling roughly 43 GB of data, along with 935,000 after-sales service tickets and more than 13,500 attachments. The claimed haul reportedly spans multiple European markets, including France, Spain, Italy, Germany, and the UK.
In its notification, the retailer said it "immediately took all necessary measures to protect your data," blocked the compromised account the same day it was discovered, and "revoked all of our subcontractor's access to our customers' data." It also reported the incident to France's data protection watchdog, CNIL, and the national cybersecurity agency, ANSSI.
The company warned that the stolen information could be used in phishing or impersonation attempts and advised customers to "remain particularly vigilant for potential fraud attempts."
The company is a dedicated third-party marketplace that hooks up DIY and home improvement buyers with verified merchants. It facilitates sales for various sellers across Europe.
While ManoMano is framing the breach as a subcontractor incident, the alleged scale of the compromise suggests the subcontractor had access to a substantial volume of customer data. ®
Source: The register