A ShinyHunters campaign has resulted in the compromise of information belonging to over 197,000 customers of fashion outlet Zara, according to HaveIBeenPwned.

The data breach notification service posted a brief note on its website explaining  data stolen during an April 2026 incident included unique email addresses alongside product Stock Keeping Units (SKU), order IDs and information relating to support tickets.

Initially, Zara parent company Inditex claimed that no names, passwords, bank-card details or any other payment methods were affected by the incident.

"Inditex has immediately applied its security protocols and has started notifying the relevant authorities of this unauthorized access, that stems from a security incident that affected a former technology provider and has impacted several companies operating internationally," the group said in mid-April.

Its operations apparently remained unaffected by the incident.

Read more on ShinyHunters: Medtronic Confirms Data Breach After ShinyHunters Claims

The incident is believed to have stemmed from an attack on analytics provider Anodot.

Stolen Anodot authentication tokens were used to access a number of downstream data platforms. ShinyHunters leaked a 140GB trove of documents it claimed to have stolen from BigQuery instances accessed via these tokens.

It’s believed that other corporate victims of this “pay or leak” campaign include Vimeo, Rockstar Games and edtech giant McGraw Hill. Millions of customers have been impacted.

HaveIBeenPwned said that the group claimed to have accessed as many as 95 million support ticket records in this way. The data was held not only in BigQuery but also corporate victims’ Snowflake instances.

ShinyHunters Casts a Wide Net

In late April 2026, ShinyHunters targeted edtech provider Instructure, the company behind the Canvas Learning Management System. It resulted in the compromise of names, email addresses and student ID numbers, as well as messages. However, it claimed that no passwords, dates of birth, government identifiers, or financial information were affected.

TrendAI said the breach affects 8809 users of its popular Canvas learning management platform across 50 countries.

“The breach affects universities, K–12 school districts, and teaching hospitals globally, including eight Ivy League institutions,” it explained.

“Because Canvas stores sensitive personal disclosures, for example, medical accommodation requests and private advisor conversations, the primary risk is highly targeted spear‑phishing using real institutional context. The immediate risk is follow‑on social engineering, credential abuse, and targeted phishing campaigns.”

To pressure Instructure to pay a ransom by May 12, ShinyHunters defaced Canvas login portals for hundreds of education institutions by exploiting a vulnerability.

“If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement. You have till the end of the day by May 12 2026 before everything is leaked," the note read.