If You've Shopped at Zara, Check This Right Now — 197,000 Customers' Data Leaked

 

 

So last week my friend suddenly texted me on KakaoTalk. "Hey, I got some weird email from Zara, is this real?" At first I thought it was just spam, but turns out there was actually a massive customer data breach at Zara. My friend was a member of their online shopping mall, so yeah, it was legit.

Honestly, my first reaction was like "Wait, THE Zara?" You know, that huge fashion brand with stores all over the world. But yeah, it's that Zara. And there are seriously so many Zara stores here in Korea anyway. People shop online there all the time. I'm probably not the only one thinking "wait, this could be about me."

So what exactly happened?

The group behind this is called ShinyHunters. The name sounds kinda cute, but these guys are actually a notorious hacking group that targets major companies worldwide. They've got a track record of stealing data from huge companies like Microsoft and Ticketmaster and selling it on the dark web.

This time they're claiming they got personal info from about 197,000 Zara customers and are threatening to release it publicly if Zara doesn't meet their demands. The leaked information reportedly includes names, email addresses, phone numbers, and shipping addresses — basically all that stuff you enter when you buy something online.

So why is this actually dangerous?

You might be thinking "It's just a name and phone number, right? Big deal?" Honestly, I thought the same thing at first. But here's the thing — that combo is way scarier than you'd think.

When you combine name + phone number + email + home address, it becomes the perfect recipe for spear phishing — where scammers target you personally with customized messages instead of just blasting out random spam. They'll text something like "Dear OO customer, we're processing a refund for your recent purchase" — they're pretending to know you, and it's super easy to fall for it.

Plus, a lot of people use the same password across multiple websites. I definitely used to do that. If your email and password combo gets exposed, hackers will immediately start trying to log into other sites using credential stuffing — basically automated login attempts. Your bank account, shopping apps, portal sites, everything could get compromised in a chain reaction.

Here's how it could actually happen to you — real scenario

Let me give you an example. One day you get a text: "Dear Zara customer, your previous order had a delivery error and we're re-sending it. Please verify your address using the link below." You click the link and boom, a fake website that looks almost exactly like the real Zara site opens up.

It asks you to "confirm" your name and address by logging in. Since they already know your name and phone number, it feels totally legit. The moment you log in, your ID and password go straight to the hackers. And get this — the whole thing takes like 2-3 minutes.

Or it could be something more direct like "Your Zara membership points are expiring soon — enter your credit card info now to convert them to cash." Since they actually know your info, you're way less suspicious.

Okay, so what should I do right now?

I know it feels overwhelming, but there are actually things you can do immediately. And it's not hard, seriously.

First, change your Zara account password RIGHT NOW. Just log into the Zara online mall or app and change it to something new. If you were using the same password on other sites, you gotta change those too.

Second, enable 2-factor authentication on your email and major accounts like Naver and KakaoTalk. 2FA means you have to confirm your login with a text message or app in addition to your password. Even if your password gets stolen, they can't log in without this second step. It's usually in Settings → Security.

Third, NEVER click links from unknown numbers. No matter how much they know your name, no matter how official it looks. Get in the habit of going directly to the official app or website instead of clicking links. This is actually really important.

Fourth, you can check if your info has been leaked. Go to haveibeenpwned.com and enter your email address. It'll show you if your email was included in any past data breaches. It's an English site but you just need to enter your email, so it's pretty straightforward.

Fifth, report any suspicious texts or calls. You can call the Korea Internet & Security Agency (KISA) at 118 or screenshot the message and report it. If we all just ignore it and move on, the next person becomes a victim.

Frequently Asked Questions (FAQ)

Q: I don't have the Zara app and only go to physical stores. Does this affect me?

A: If you ever entered your personal info at a physical store for a membership card or receipt, you could be included. Even if you're not an online member, they might have your info from an in-store visit. It's worth checking your account on the Zara app or website to see if you have one registered.

Q: If my info is already leaked, isn't there nothing I can do about it?

A: You can't undo the leak itself, but preventing actual damage starts now. By changing your password, enabling 2FA, and ignoring suspicious contacts, you can stop it from becoming a real problem. Just because the door was opened doesn't mean a thief got in — it's important to lock it up tight right now.

Q: Can I get official notice or compensation from Zara?

A: Zara hasn't made an official statement or announced compensation procedures yet. It's best to keep checking their official website and customer service for updates. If you suspect your personal info has been compromised, you can also file a complaint or request a consultation with the Personal Information Protection Commission (privacy.go.kr).

Last thing I want to say

When you read news like this, it's honestly super demoralizing. You didn't do anything wrong, so why is your info floating around out there? But here's the thing — it's not your fault. The company failed to protect it, and the hackers are the bad guys.

Still, there's stuff we can do. Change your password, turn on 2FA, don't click suspicious links. Just doing these three things right now makes a difference. You don't need to become some security expert. Just invest like 10 minutes today.

If you know someone who should read this, send them the link via KakaoTalk. Seriously, people are getting hit with this stuff because they don't know about it. Let's protect ourselves and the people around us 😊

 

View original article

유명 패션 브랜드 '자라' 고객 19만7천명 정보 노출...샤이니헌터스, 자라 데이터 공개 협박 - 데일