European DIY platform ManoMano suffered a data breach via a third-party provider, exposing personal data of 38 million customers.
European DIY e-commerce platform ManoMano disclosed a major data breach affecting 38 million customers. Hackers accessed personal information by compromising a third-party service provider, prompting notifications and potential security measures for impacted users across multiple countries.
ManoMano is a European e-commerce platform specializing in DIY, home improvement, gardening, and tools. Founded in 2013, it connects consumers with a wide range of products—from power tools and plumbing supplies to outdoor furniture and gardening equipment—offered by multiple sellers, including brands and independent retailers.
ManoMano confirmed to BleepingComputer that it discovered a security breach in January 2026 affecting 38 million customers. The incident involved a third-party service provider, whose unauthorized access led to the extraction of personal data linked to customer accounts and service interactions. The company has notified affected users and is investigating the scope of the compromise.
“In January 2026, we identified unauthorized access linked to this provider, which resulted in the unauthorized extraction of certain personal data associated with customer accounts and customer service interactions.” the company told BleepingComputer.
EXPLORE MORE
Iran-linked MuddyWater deploys Dindoor malware against U.S. organizations
Iran-linked APT MuddyWater targeted U.S. organizations, deploying the new Dindoor backdoor across…
Phishing campaign exploits OAuth redirection to bypass defenses
Microsoft researchers warn that threat actors abuse OAuth redirects to target government…
Endangered Missing Person Mark Clemons from the 14th District
The Philadelphia Police Department is seeking the public’s assistance in locating endangered…
Android devices hit by exploited Qualcomm flaw CVE-2026-21385
Google confirms that the Qualcomm Android vulnerability CVE-2026-21385 was exploited in real-world…
Endangered Missing Person Alduster Cartwright 8th District Has Been Located
The Philadelphia Police Department is seeking the public’s assistance in locating enangered…
University of California’s K-12 materials call January 6 an ‘insurrection,’ compare it to KKK
University of California Santa Cruz has proposed K-12 educational materials that would…
According to the data breach notification sent to the impacted customers, the exposed data includes: first name, last name, email address, telephone number, and your eventual interactions with our customer service.
The company pointed out that user passwords were not compromised.
Upon detecting the breach, the company immediately blocked the compromised account and revoked the subcontractor’s access. Enhanced data access controls were implemented internally and for all subcontractors. Authorities, including CNIL, ANSSI, and the Cyber Emergency Île-de-France platform, were informed to ensure proper oversight and response.
“As soon as the incident was identified, we immediately took all necessary measures to protect your data.
The analyses conducted by our cyber security teams allowed for the quick identification of the compromised account, which was blocked on the same day the incident was discovered. Subsequently, we revoked all of our subcontractor’s access to our customers’ data.” reads the data breach notification sent to the impacted users.
“We have also implemented reinforced controls on data access, both within our company and at our other subcontractors. Finally, we informed the CNIL (French National Commission for Information Technology and Civil Liberties), the ANSSI (French National Agency for the Security of Information Systems) and the Cyber Emergency Île-de-France platform.”
#ManoMano
Gentile Cliente,
siamo stati recentemente informati che uno dei nostri fornitori di servizi clienti (subappaltatore) è stato vittima di un attacco informatico nel gennaio 2026, che ha comportato un download non autorizzato di dati personali pic.twitter.com/UYvRxoPz3r— JAMESWT (@JAMESWT_WT) February 12, 2026
In February, a threat actor using the alias “Indra” claimed responsibility for the data breach, allegedly holding data on 37.8 million users, including support tickets.
The investigation into the incident is still ongoing.
