According to HaveIBeenPwned, ShinyHunters targeted fashion brand Zara in a cyber-attack  and claimed that it had stolen 197,000 unique email addresses, product SKUs, order IDs, and the originating market. The incident involved a former technology provider (AI analytics platform Anodot) for Zara’s parent company, Inditex, which resulted in the exposure of the personal information. ShinyHunters claimed to have leaked 140GB of data, which is reported to have included compromised authentication tokens for Anodot users.

Inditex has confirmed that no customer names, passwords, phone numbers, addresses, or payment information (bank cards) were compromised in the incident. Inditex has also confirmed that its core operations and systems were not impacted.

ShinyHunters continues to wreak havoc in all industries, and its techniques of compromising authentication tokens is a warning to organizations to prioritize prevention of authentication token incidents. Obsidian has provided a basic summary of how token-based attacks work, and tips on how to prevent them.