ManoMano data breach exposes personal information of 38 million customers

European DIY retail chain ManoMano has disclosed a data breach affecting 38 million customers after hackers compromised a third party customer service provider, the company confirmed this week.

The breach was identified in January 2026, when ManoMano detected unauthorized access linked to one of its subcontracted customer support providers. The intrusion led to the unauthorized extraction of certain personal data associated with customer accounts and customer service interactions.

ManoMano is a French e commerce company that operates an online marketplace specializing in DIY, home improvement, gardening and related products. The company serves customers in France, Belgium, Spain, Italy, Germany and the United Kingdom, and its online stores attract about 50 million unique visitors per month.

An internal investigation determined that 38 million individuals were affected by the incident. The type of exposed information varies depending on each customer’s interactions with the platform. The compromised data may include full names, email addresses, phone numbers and customer service communications.

ManoMano stated that no account passwords were accessed and that no data on its own systems was modified.

Upon discovering the breach, the company disabled the relevant access, revoked the subcontractor’s ability to access customer data and strengthened access controls and monitoring. ManoMano also notified French authorities, including the Commission nationale de l’informatique et des libertés and the National Agency for the Security of Information Systems, and began informing impacted customers.

Customer notifications advise recipients to remain vigilant against phishing and social engineering attempts. Recommended precautions include verifying the authenticity of incoming communications, monitoring bank accounts for suspicious activity and avoiding clicking on unknown links or downloading unexpected email attachments.

Earlier this month, an individual using the alias “Indra” claimed responsibility for the attack on a hacker forum, asserting possession of data tied to 37.8 million user accounts along with thousands of support tickets and attachments. ManoMano has not publicly attributed the breach to any specific individual.