Mytheresa Breach: 84K Accounts - Credit Cards Exposed (2026)

Overview

In April 2026, luxury fashion e-commerce platform Mytheresa was targeted by the ShinyHunters extortion group, known for “pay or leak” demands. After Mytheresa did not meet the ransom deadline, the group publicly released a dataset containing 84,108 unique customer accounts. The exposed data includes full names, email addresses, phone numbers, physical shipping addresses, purchase histories, and partial credit card information - including card type, last four digits, and expiration dates. This incident has been indexed by Have I Been Pwned, making it easy for affected customers to verify their exposure.

What Was Exposed

The leaked dataset includes a combination of personally identifiable information (PII) and financial data that creates serious security risks:

• Email addresses - prime targets for phishing campaigns and credential-stuffing attacks.
• Names and phone numbers - enable highly targeted social engineering and SIM-swapping attempts.
• Physical addresses - expose victims to physical mail fraud and doxxing.
• Purchase histories - reveal shopping habits, which can be used in personalized phishing scams.
• Partial credit card data - card type, last four digits, and expiration dates. While the full card number is missing, this data is still valuable for fraudsters attempting account recovery on other services or combining with other breached databases.

How the Breach Happened

ShinyHunters operates under a “pay or leak” ransomware model, where attackers breach a company’s systems, exfiltrate sensitive data, and demand payment to keep it private. When the ransom is not paid, the data is either sold on dark web forums or publicly released. In Mytheresa’s case, the group reportedly exploited a vulnerability in the platform’s web application or third-party integrations, though the exact technical vector has not been disclosed. The ransom deadline passed without payment, leading to the full release of the dataset.

Account Takeover Risks

The combination of email addresses and partial credit card data is particularly dangerous. Attackers can use these details to attempt account takeovers on Mytheresa itself, or more commonly, on other services where the victim uses the same email address. With the last four digits of a credit card and the expiration date, fraudsters have enough information to reset passwords on some platforms that use these details as security questions. Victims should immediately change passwords on all accounts and enable two-factor authentication wherever possible.

Identity Theft Risks

While the breach does not include full Social Security numbers, the exposed phone numbers and physical addresses are enough for identity thieves to initiate fraud. With a name, address, and phone number, criminals can apply for store credit cards, open utility accounts, or file fraudulent tax returns. Combined with purchase history, they can craft convincing “account verification” calls that trick victims into revealing more sensitive information.

What to Do Right Now

1. Check if you’re affected - visit Have I Been Pwned and search your email address.
2. Freeze your credit - contact Equifax, Experian, and TransUnion to place a fraud alert or credit freeze.
3. Monitor your credit card statements - look for unauthorized charges or small “test” transactions.
4. Change your Mytheresa password - and use a unique, strong password for this account.
5. Enable two-factor authentication - on Mytheresa and any other service that supports it.
6. Watch for phishing - ShinyHunters-related threat actors often use the exposed data to send targeted emails.

How to Check If You’re Affected

The most reliable method is to go to Have I Been Pwned and enter your email address. If your account appears in the dataset, you will receive a clear notification. Mytheresa is also expected to send direct notification emails to impacted customers, but using HIBP provides immediate confirmation.

Security Insight

This incident highlights a persistent weakness in e-commerce platforms: the retention of historical purchase data and partial payment details beyond what is necessary for operations. Mytheresa’s decision to store partial credit card numbers alongside full customer profiles created a higher-value target for attackers. Compared to other recent luxury retail breaches, such as Farfetch in 2024, the ShinyHunters extortion added a public shaming element that pressured companies to pay - or face reputational damage. The long-term lesson for e-commerce companies is not just to patch vulnerabilities, but to minimize the data they store in the first place. For consumers, this breach underscores the need to use unique passwords and monitor financial accounts actively, even when checking out as a guest.

Further Reading

• Mytheresa Ransomware Claim by ShinyHunters (April 2026)
• All Critical Breaches
• Recent Data Breaches