Cork Shoppers and Irish Udemy Users Among Those Named in ShinyHunters Data Leak

A series of new entries on a dark web leak site linked to the hacking group ShinyHunters has named Zara, Udemy and 7-Eleven, with stolen data now circulating online. The development carries implications for shoppers at Zara's store in Cork's Mahon Point and for the many Irish learners and businesses connected to Udemy, whose EMEA headquarters is based in Dublin.

The listings appeared on the group's leak portal across the past week. Zara and 7-Eleven were posted on 22 April 2026, with Udemy added on 27 April 2026. In each case, ShinyHunters states that negotiations with the companies failed before the data was released.

For Zara, the group claims 192 GB of data taken from BigQuery cloud instances. ShinyHunters has named the Israeli analytics firm Anodot as the entry point, suggesting the access was gained through a third-party connection rather than a direct compromise of Zara's own systems. The same Anodot vector was cited earlier this month in connection with a separate ShinyHunters claim against Rockstar Games.

The Udemy entry is smaller in volume but still significant. ShinyHunters claims 2.3 GB of data, including more than 1.4 million records described as taken from a Salesforce environment, said to contain personally identifiable information alongside internal corporate data.

The 7-Eleven listing claims 12.8 GB of data, including more than 600,000 Salesforce records. 7-Eleven does not operate in Ireland.

Inditex Statement

Zara's parent company, Inditex, separately disclosed unauthorised access to third-party-hosted databases on 15 April 2026. In its statement, Inditex said the affected databases did not contain customer names, addresses, passwords or bank card details, and that only commercial transaction information was involved. The Spanish retailer said it activated its security protocols immediately on discovery and notified the relevant authorities.

Inditex has not publicly named the third-party vendor and has not directly addressed ShinyHunters' subsequent claims about the volume or content of the data on the leak site. There is therefore a notable difference between what Inditex has confirmed about the incident and what the hackers claim to have taken. None of the three companies named in the latest leak listings had publicly confirmed the leaks at the time the original Hackread report was published.

The Cork and Irish Connection

Zara operates a store in Cork at Mahon Point Shopping Centre, with further Irish outlets in Dublin, Limerick, Athlone, Newbridge and other locations. The Inditex group also includes Bershka, Pull&Bear, Stradivarius, Massimo Dutti and Oysho, several of which serve Irish customers online and through stores.

Udemy's connection to Ireland is more direct. The online learning company established its EMEA headquarters in Dublin in 2014, with its current offices at Windmill Lane. The Dublin operation has historically supported Irish customers including TG4, the Gaelic Players Association, ESW, Teamwork and CR2. Udemy is in the process of being acquired by Coursera, with the deal announced in December 2025.

The Wider Campaign

ShinyHunters has been running a sustained campaign against Salesforce customers and third-party cloud integrations. The group has claimed roughly 400 Salesforce-linked targets, with data from dozens of those organisations now published on its leak site. Other named victims in recent months include Telus Digital, the European Commission, McGraw-Hill, ADT, Mytheresa, SoundCloud and Crunchbase.

Initial access in many of the recent incidents has been linked to voice phishing, in which attackers impersonate IT support to trick staff into handing over single sign-on credentials. From there, attackers have pivoted into Salesforce, Slack, Zendesk and other connected platforms.

Advice for Cork and Irish Customers

Customers who have shopped at Zara or other Inditex brands, or who hold a Udemy account, should be alert to phishing emails or text messages that reference past purchases, course enrolments or account details. Avoid clicking links in unsolicited messages claiming to be from Zara, Inditex or Udemy, and verify any communication by going directly to the official app or website.

Where account passwords have been reused across other services, those should be changed without delay. Enabling multi-factor authentication on online shopping and learning accounts adds a further layer of protection.

General advice on data breaches affecting Irish residents is available from the Data Protection Commission.