A threat actor claims to have exfiltrated approximately 38 million customer records from ManoMano’s Zendesk support tenant, with ManoMano acknowledging an incident affecting that platform; exposed data allegedly includes names, email addresses, phone numbers, and order history across six European markets, creating significant GDPR regulatory exposure. The incident is consistent with credential compromise, Zendesk access control misconfiguration, or overpermissive API role assignment — no CVE applies and the 38 million record figure is unverified by ManoMano at time of analysis. Organizations running their own Zendesk tenants should treat this as an immediate prompt to audit agent and admin accounts, enforce MFA, review bulk export and API access logs, and minimize PII retained in support ticketing systems.