European DYI Chain ManoMano Data Breach Impacts 38 Million Customers

The ManoMano breach highlights a growing trend where cyber‑criminals target the extended ecosystem of e‑commerce firms rather than the primary brand itself. As retailers increasingly outsource customer service and logistics to specialized providers, the attack surface expands, making third‑party risk management a critical component of cybersecurity strategies. In Europe, where data‑privacy regulations are stringent, any lapse can quickly attract the attention of authorities such as the CNIL and ANSSI, amplifying reputational and financial stakes.

In this case, the compromised provider—identified as a Tunisian support center using Zendesk—allowed unauthorized extraction of personal identifiers and support interactions for 38 million users across six markets. ManoMano’s response was swift: it disabled the compromised access, revoked the subcontractor’s privileges, and bolstered monitoring and access controls. By confirming that passwords were not harvested and that no data alterations occurred, the company aimed to limit the breach’s operational impact while providing customers with clear anti‑phishing guidance. The prompt notification to regulators aligns with GDPR’s breach‑reporting obligations, potentially mitigating fines but also signaling heightened oversight.

For the broader DIY and home‑improvement sector, the incident serves as a cautionary tale about the importance of vendor vetting, continuous security audits, and encrypted data handling. Companies should enforce zero‑trust principles, ensuring that third‑party services only receive the minimal data necessary for their function. Additionally, proactive customer communication—detailing the scope of exposure and actionable steps—can preserve trust and reduce the likelihood of successful social‑engineering attacks. As regulators tighten supply‑chain security expectations, firms that embed robust third‑party governance will gain a competitive edge in an increasingly privacy‑conscious market.