DIY store chain ManoMano is notifying customers of a data breach that was caused by hackers compromising a third-party service provider.

The company confirmed to BleepingComputer that it learned of the hack in January 2026. An investigation into the incident determined that 38 million individuals are affected.

“We can confirm that ManoMano has recently notified customers about a security incident involving one of our third-party customer service providers (a subcontractor),” the company told BleepingComputer.

“In January 2026, we identified unauthorized access linked to this provider, which resulted in the unauthorized extraction of certain personal data associated with customer accounts and customer service interactions.”

ManoMano is a French e-commerce firm operating an online marketplace specializing in DIY, home improvement, gardening, and related products. It operates in France, Belgium, Spain, Italy, Germany, and the United Kingdom, and its e-stores reportedly have 50 million unique visitors per month.

Earlier this month, someone using the alias “Indra” claimed the ManoMano attack on a hacker forum, alleging that they were holding details on 37.8 million user accounts, as well as thousands of support tickets and attachments.

According to unconfirmed reports, the compromised organization was a Tunis-based customer support service provider that suffered a Zendesk breach.

Cybersecurity firm Hackmanac posted that ManoMano started notifying customers this week that their data had been stolen.

A spokesperson of ManoMano explained to BleepingComputer that the exposed information varies per individual, depending on the type of interactions they had with the platform. Exposed data types include:

• Full name
• Email address
• Phone number
• Customer service communications

ManoMano emphasizes that no account passwords were accessed and that no data modifications occurred on the company’s systems.

“Upon discovery, we took immediate steps to secure our environment, including disabling the relevant access, revoking the subcontractor’s access to customer data, and strengthening access controls and monitoring,” said a ManoMano spokesperson.

“We also notified the relevant authorities, including the CNIL and ANSSI, and informed impacted customers with guidance to remain vigilant against phishing and social engineering attempts.”

The notification sample ManoMano shared with BleepingComputer contains recommendations for customers, including verifying incoming communications and sender identity, monitoring bank accounts for fraudulent transactions, and avoiding clicking on suspicious links or downloading email attachments.

ManoMano notes that the investigation is ongoing and that they cannot share additional technical details at this stage.