ManoMano, the French online marketplace for DIY and home improvement, disclosed a data breach affecting up to about 38 million customers linked to a third-party Zendesk support service provider in January 2026, exposing full names, email addresses, phone numbers, and customer service communications.

ManoMano confirmed that no account passwords were accessed and data on its own servers was not tampered with, according to the company and independent reporting.

The breach involved a third-party subcontractor rather than ManoMano’s own systems, and the compromised data included customer information.

Regulators and authorities, including France’s CNIL and ANSSI, were notified, and affected customers received guidance to stay vigilant against phishing and social engineering.

ManoMano quickly acted to secure its environment by disabling the subcontractor’s access, revoking data access, and tightening access controls and monitoring after the breach was discovered.

The incident underscores the ongoing risk from third-party vendors and may prompt customers to monitor accounts and consider credential changes.

It also highlights the importance of vendor risk management and continuous monitoring to mitigate data exposure and related phishing threats.

ManoMano said it is investigating the incident, notifying affected customers, and likely reviewing security practices with third parties.

The breach is linked to a Zendesk account operated by a subcontractor based in Tunis, as referenced by the claiming actor.

Affected data reportedly included personal customer details that could be exposed.

Indra, a threat actor, claimed responsibility in a dark web post, asserting that about 37.8 million individuals were affected in what appears to be a large-scale exfiltration.

ManoMano serves six European countries and operates ManoManoPro for professionals, drawing roughly 50 million monthly unique visitors.