Saw the news this week that the breach hit basically all the Inditex brands (Zara, Bershka, Pull&Bear, Stradivarius, Oysho).
The attackers are claiming they got 19 million records. I’ve had my Zara account since back around 2018 and I’m pretty sure my account is in it. My password was unique to that site at least which is great dfor me, but the email, name, DOB, address, and phone number are all out there now, so that sucks.
Felt that gut punch moment for about an hour, then sat down and worked through the cleanup methodically. Posting what I did in case it helps anyone else here who got hit:
-
Changed my Zara password immediately. Even though their statement implies passwords weren’t in the dump, no point trusting that. I don’t trust anything these companies say tbh.
-
Audited password reuse. Used my password manager to check anywhere I’d used the same email/password combo. Found two old accounts I’d reused on years ago and changed both. If you don’t use a password manager, this is the moment to start. Bitwarden is free.
-
Turned on 2FA on Zara and every linked account I could. Email account first, that one’s the master key.
-
Got ready for phishing. This is the real underrated piece. With name + DOB + address + phone + the fact that you have a Zara account, scammers can craft really good “your Zara order has shipped, click to track” or “we noticed unusual activity, verify your account” messages. I told my wife and my mom to be extra skeptical of anything mentioning a Zara order, a delivery, or a bank alert for the next few months. Fraud volume goes up after a breach like this and it stays up for a whie.
-
Signed up for Have I Been Pwned alerts so I’ll get a heads up next time my email shows up on the “dark web”
-
Started using email aliases for new signups going forward. SimpleLogin and Apple Hide My Email both work well. Idea is that next time a retailer gets cracked like this, the leaked email isn’t my real one and I can just sort of kill the alias and not stay up at night worrying about it
-
I considered just deleting the account entirely. I don’t shop there much anymore. Probably going to nuke it next weekend honestly.
-
Bumped up credit monitoring alerts. Didn’t freeze my credit (DOB plus address plus email alone isn’t quite enough to open new credit), but I tightened up the alert thresholds just in case more data ends up in the dump than what’s been disclosed so far.
Not perfect but it’s something. The part that gets me is that none of this is Inditex’s problem to clean up. They’ll send a polite “we take your privacy seriously” email and that’s about it. The actual work falls on us. I hoipe this helps someone. Anyone else in this breech?