Mango fashion chain suffers third party breach, customer data impacted
Global fashion retailer Mango on Wednesday began notifying customers that it is the victim of a third-party marketing breach and that the hackers have gained access to some customer data.
The breach notification, dated October 14th, revealed that the Barcelona-based company was compromised via “one of our external marketing services.”
“As soon as Mango became aware of this situation, it immediately activated all security protocols and informed the Spanish Data Protection Agency (AEPD) and the Authorities,” the environmentally conscious fast-fashion house stated.
The Mango team also stressed that its business operations were uninterrupted, and the vendor breach has not impacted corporate systems.
Data accessed was limited
Mango reports that the data accessed was “limited to personal contact information used in marketing campaigns,” including:
- First name only
- Country
- Postal code
- Email address
- Telephone number
“Under no circumstances has your banking information, credit cards, ID/passport, or login credentials or passwords been compromised,” Mango said.
The company further relayed that it issued the notice as a precaution, urging all customers to remain vigilant to “any suspicious communications or requests for unusual actions, both by email and by phone.”
Founded by two brothers in 1984, the “Mediterranean-inspired lifestyle brand” designs, manufactures, and markets women's, men's, and children's clothing and accessories.
Named one of the world's Best Companies of 2025 by Time magazine, Mango boasts roughly 2,850 store locations worldwide in over 120 markets, according to its website.
With close to 17,000 employees, the fashion house listed an annual revenue of 3.3 billion euros in 2024.
Experts warn of "second-wave" phishing attacks
Mango did not name the third party marketing service it uses, not did it reveal how many custoners may have been affected.
Still, Pete Luban, Field CISO at AttackIQ, lauds Mango for promptly reacting to the breach and quickly notifying its customers.
“It’s reassuring to see the speed in which Mango was able to respond to the intrusion,” Luban says.
However, Luban also notes that once an attacker has infiltrated a system, “it’s difficult to prevent any data theft.”
“Keeping banking information, credit card data, and account credentials unaffected is a sign that Mango had effective security defenses in place,” he said.
The CISO also believes that it's likely Mango was able to learn from previous attacks on prominent UK retailers such as Harrods, Marks & Spencers, and Co-op. Harrods recently revealed that at least 430,000 of the luxury department store's customers had their data stolen in the Easter weekend third-party breach.
“That being said, impacted individuals should not let their guards down. Attackers can still extort victims further by conducting phishing attacks using the stolen names, email addresses, and phone numbers," Luban warns.
Luban says security teams are now seeing examples of "second-wave phishing attacks" by many attackers, citing the aftermath of ShinyHunters’ widespread Salesforce attack campaign.
Shiny Hunters and its ransomware partner Scattered Spider have been blamed for the retail attacks on M&S, Harrods, Coop, and many other global retailers over the past few months, including Kering, the parent of luxury fashion brands Gucci, Balenciaga, McQueen, and others.
"Individuals should familiarize themselves with common phishing tactics, including smishing or vishing, report any suspicious emails or messages, and only click on links from verifiable, trustworthy senders,” Luban says.
Meantime, regretting any inconvenience, the fashion company thanked its customers for their “trust and commitment” to the brand.
Mango also provided an email and phone number for those customers with further questions.
