ManoMano data breach impacted 38 Million customer accounts

European DIY platform ManoMano suffered a data breach via a third-party provider, exposing personal data of 38 million customers.

European DIY e-commerce platform ManoMano disclosed a major data breach affecting 38 million customers. Hackers accessed personal information by compromising a third-party service provider, prompting notifications and potential security measures for impacted users across multiple countries.

ManoMano is a European e-commerce platform specializing in DIY, home improvement, gardening, and tools. Founded in 2013, it connects consumers with a wide range of products—from power tools and plumbing supplies to outdoor furniture and gardening equipment—offered by multiple sellers, including brands and independent retailers.

ManoMano confirmed to BleepingComputer that it discovered a security breach in January 2026 affecting 38 million customers. The incident involved a third-party service provider, whose unauthorized access led to the extraction of personal data linked to customer accounts and service interactions. The company has notified affected users and is investigating the scope of the compromise.

“In January 2026, we identified unauthorized access linked to this provider, which resulted in the unauthorized extraction of certain personal data associated with customer accounts and customer service interactions.” the company told BleepingComputer.

According to the data breach notification sent to the impacted customers, the exposed data includes: first name, last name, email address, telephone number, and your eventual interactions with our customer service.

The company pointed out that user passwords were not compromised.

Upon detecting the breach, the company immediately blocked the compromised account and revoked the subcontractor’s access. Enhanced data access controls were implemented internally and for all subcontractors. Authorities, including CNIL, ANSSI, and the Cyber Emergency Île-de-France platform, were informed to ensure proper oversight and response.

“As soon as the incident was identified, we immediately took all necessary measures to protect your data.

The analyses conducted by our cyber security teams allowed for the quick identification of the compromised account, which was blocked on the same day the incident was discovered. Subsequently, we revoked all of our subcontractor’s access to our customers’ data.” reads the data breach notification sent to the impacted users.

“We have also implemented reinforced controls on data access, both within our company and at our other subcontractors. Finally, we informed the CNIL (French National Commission for Information Technology and Civil Liberties), the ANSSI (French National Agency for the Security of Information Systems) and the Cyber Emergency Île-de-France platform.”

In February, a threat actor using the alias “Indra” claimed responsibility for the data breach, allegedly holding data on 37.8 million users, including support tickets.

The investigation into the incident is still ongoing.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)