Fashion retailer MANGO is notifying customers of a third-party data breach that compromised their personal information.
Ranked as one of the World’s Best Companies in 2025 by Time Magazine, MANGO operates in over 2,850 store locations across 120 countries. It employs about 17,000 people and reported an annual revenue of $3.85 billion (€3.3B) in 2024.
Upon learning of the data breach, Mango activated all cyber protocols, notified authorities, and contacted the impacted individuals.
Fashion retailer MANGO’s third-party data breach leaked personal information
The fashion retailer investigated the third-party data breach and determined that it leaked limited personal contact information used in marketing.
“In line with our commitment to the security and privacy of our customers, MANGO wants to inform you that one of our external marketing services has suffered unauthorized access to certain personal data,” the company said.
It leaked the customer’s first name, country, postal code, email address, and telephone number. However, it did not expose customers’ financial information such as bank account numbers and credit cards, government-issued IDs such as the National ID or passport numbers, or account login credentials.
“It’s reassuring to see the speed in which MANGO was able to respond to the intrusion,” said Pete Luban, Field CISO at AttackIQ. “It’s difficult to prevent any data theft once an attacker has entered, but keeping banking information, credit card data, and account credentials unaffected is a sign that MANGO had effective security defenses in place, likely learning from the previous attacks on prominent retail chains like Harrods and Co-op.”
Nevertheless, the exposure of first names and contact details, such as email addresses and phone numbers, still makes the impacted individuals vulnerable to phishing attacks.
“Even the limited leak of only some personally identifying information can be of use to scammers,” reiterated Roger Grimes, CISO Advisor at KnowBe4. “The hackers could craft a phishing message related to MANGO, and because the potential victim does have some sort of existing relationship with MANGO, any well-crafted phishing message is more likely to be successful than if it were some broad, generic type of phishing campaign. Every bit of information you give a scammer about someone can be used to craft a more realistic phishing message.”
Subsequently, the fashion retailer advised affected customers to remain vigilant for unsolicited communications and requests for unusual actions via email or phone.
“We recommend that all our customers pay attention to any suspicious communications or requests for unusual actions, both by email and by phone,” it said.
Meanwhile, the fashion retailer says the third-party data breach did not affect its internal IT infrastructure and that its operations continued normally.
“We inform you that everything continues to function normally and that MANGO’s corporate infrastructure and systems have not been compromised,” the company stated.
MANGO has also determined that the hacker has not misused the stolen information for nefarious purposes. The fashion retailer also implemented additional security measures and reported the incident to the Spanish Data Protection Agency (AEPD) and other relevant authorities. It also apologized for the data breach and set up a dedicated email address to assist impacted customers in navigating the breach.
However, MANGO has not disclosed the source of the third-party data breach, the number of affected customers, or the identity of the threat actor. So far, no cybercrime gang has taken responsibility for the attack.
Third-party data breach may be Salesforce-related
Nevertheless, the third-party data breach bears the hallmarks of a phishing campaign affecting the Salesforce cloud-based customer relations (CRM) system that affected over a dozen high-profile organizations, including Google.
Spain has also witnessed a string of data breaches affecting its top fashion retailers. In March 2025, El Corte Inglés experienced a third-party data breach that leaked customers’ ID numbers and credit card details. Another Spanish fashion retailer, Tandem, which operates in over 70 countries, also suffered a data breach that leaked 720 GB of data, with the hacker demanding roughly $932,840 (€800,000) in ransom.
Elsewhere, U.K. fashion retailers Marks & Spencer, the Co-Op, and Harrods were targeted in widespread attacks attributed to the Scattered Spider cyber threat group.
