Hacendado, a prominent Spanish brand primarily associated with Mercadona, one of Spain’s largest supermarket chains, has allegedly fallen victim to a significant data breach. An unauthorized actor claims to have exploited a zero-day vulnerability within a third-party logistics and inventory management system integrated with Hacendado’s backend infrastructure, leading to the compromise of extensive user data. Hacendado is a widely recognized private label for Mercadona, offering a vast range of grocery and household products, making Mercadona a key player in the Spanish retail sector with millions of customers across Spain and Portugal. The scale of its operations means a data breach could have widespread consequences for its customer base.
The perpetrator of the alleged breach is offering a substantial dataset for private sale, reportedly containing information on over 27 million unique users. The compromised data is described as raw and unfiltered, directly scraped from the affected systems. The actor also claims to possess exclusive rights to the unpatched zero-day vulnerability, indicating it has not been reported or fixed. The origin of the breach is attributed to this previously unknown flaw in a third-party vendor’s software, highlighting the persistent risks associated with supply chain vulnerabilities.
The following data categories are allegedly included in the breach:
- Full names, emails, and hashed passwords
- Location data and purchase history
- Internal employee emails and operational logs
- Fragmented payment metadata
- Tokens and access credentials (partially obfuscated)
