Skip to content
Supply chainContained

Leak at Mango

In October 2025, Spanish fashion retailer Mango disclosed that an external marketing service provider was breached, exposing customers' first name, country, postal code, email address and phone number; no passwords or banking data were affected.

Victim
Mango

On 15 October 2025, Mango β€” the Spanish fast-fashion retailer β€” began notifying customers that personal data used in its marketing campaigns had been exposed in a data breach. The compromise did not affect Mango's own systems or corporate infrastructure: instead, an external service provider handling the brand's marketing campaigns suffered unauthorized access to customer data, making this a supply-chain incident.

The data involved was limited to contact and demographic fields. Exposed categories included:

  • First name
  • Country
  • Postal code
  • Email address
  • Phone number

According to Mango and to ZATAZ, no surnames, passwords, login credentials, banking or credit-card details, or identity-document data were involved. The company did not disclose how many customers were affected; figures circulating in aggregator listings are unverified.

Mango said it activated its security protocols on detecting the incident over the weekend and notified the Spanish data protection authority (AEPD) within the timeframes required under the GDPR. It set up a dedicated contact channel (personaldata@mango.com) for concerned customers and urged vigilance against phishing emails and suspicious phone calls. The retailer stated that its systems continued to operate normally, placing the incident among a wave of 2025 attacks on the retail sector.

Sources

  1. zataz.comhttps://www.zataz.com/fuite-de-donnees-chez-mango-un-prestataire-marketing-vise/
  2. bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/clothing-giant-mango-discloses-data-breach-exposing-customer-info/
  3. securityaffairs.comhttps://securityaffairs.com/183435/data-breach/spanish-fashion-retailer-mango-disclosed-a-data-breach.html
  4. therecord.mediahttps://therecord.media/mango-fashion-retaier-data-breach

Related incidents

Supply chainContained

Leak at Alltricks

In August 2025, French online cycling and sports retailer Alltricks had its Sendinblue/Brevo email-marketing system compromised; attackers sent customers convincing phishing emails from the brand's own infrastructure, exposing names, email addresses and purchase history.

Victim
Alltricks
Supply chainContained

Leak at Pandora

In August 2025, Danish jewelry maker Pandora disclosed a breach of a third-party CRM platform (Salesforce) in which attackers stole customer contact data β€” names, email addresses and birth dates β€” while stating no passwords or payment data were taken.

Victim
Pandora
Supply chainContained

Leak at Afflelou

In April 2025, French optical and hearing-aid retailer Alain Afflelou disclosed a breach caused by a vulnerability at a third-party CRM provider, exposing the personal and commercial data of thousands of customers and prospects.

Victim
Afflelou