Online DIY, home improvement, and gardening platform ManoMano has experienced a third-party data breach affecting an overseas customer service subcontractor.
ManoMano learned of the data breach after a threat actor identified as “Indra” claimed responsibility for the leak on the underground hacking forum BreachForums.
Upon learning of the data breach, ManoMano took immediate steps to terminate the threat actor’s access, notified relevant authorities, and applied the necessary mitigations.
ManoMano confirms third-party data breach
The Paris, France-based company says the third-party data breach leaked the victims’ names, email addresses, phone numbers, and customer service conversations. ManoMano boasts about 50 million active unique users per month, suggesting that most of its customers were affected.
The attacker claims to have stolen 43 GB of customer data, including user account information of 37.8 million customers, over 900,000 customer service tickets, and over 13,000 attachments. However, ManoMano claims the breach affected “thousands of customers,” a far lower figure than the tens of millions claimed by the threat actor.
Nevertheless, the company has confirmed that the third-party data breach did not compromise customer account passwords, and its internal IT infrastructure was unaffected. The third-party data breach also did not affect internal operations or result in data modifications.
While the leaked information is not typically sensitive, it could allow cybercriminals to craft persuasive phishing messages to lure the victims into revealing more sensitive data.
“The true prize lies not merely in contact details but also in the 13,000 pilfered attachments and service logs that provide the ideal blueprint for highly targeted phishing attacks,” said Noelle Murata, Sr. Security Engineer, Xcape. “The primary threat isn’t necessarily account hijacking, but rather scams referencing actual past purchases or support interactions. Any communication purporting to be from a support representative should be viewed with suspicion.”
Subsequently, ManoMano has warned the victims of potential phishing attempts, including the risk posed by clicking on suspicious links or downloading and opening email attachments. Additionally, victims should monitor their bank accounts for suspicious activity and verify any communications purporting to originate from the company.
Meanwhile, reports claim that the third-party data breach affected the subcontractor’s Zendesk instance. However, the company has not disclosed how the attacker gained access.
Nevertheless, Zendesk insists its infrastructure was not compromised and that the third-party data breach likely leveraged compromised credentials.
However, ManoMono’s investigation is still ongoing, and the company will share more details when they become available.
Data breach affects several European countries
The third-party data breach affected customers across five of the six European countries where the company operates: France, Germany, Italy, Spain, and the United Kingdom. The breached third-party subcontractor was based in Tunisia, an unconventional location for a high-profile organization.
“ManoMano wasn’t breached directly,” said Denis Calderone, CTO, Suzu Labs. “Their outsourced customer support provider got compromised, and through that one access point attackers pulled millions of customer records and close to a million support tickets. This is the supply chain problem we keep talking about. You can lock your own house down all you want, but if your subcontractor leaves their door open, your data walks out through their environment.”
Meanwhile, ManoMano has disabled the third-party contractor’s access to prevent further compromise and notified impacted users and relevant authorities, including the country’s data protection watchdog, CNIL, and the national cybersecurity agency, ANSSI. The company has also strengthened access controls and monitoring to prevent a similar incident in the future.
ManoMano has also relocated its customer service operations to ADM Value in Madagascar and hired the renowned public relations agency Burson to limit reputational damage.
So far, the threat actor has not disclosed whether they were part of a cybercrime group or how they obtained the compromised credentials. However, phishing, vishing, and other social engineering tactics are the most common methods of credential harvesting that do not rely on product vulnerabilities.
An aggressive social engineering campaign by the hacking group ShinyHunters has compromised single sign-on platforms Okta, Microsoft, and Google, affecting hundreds of downstream organizations.
