An unverified threat actor claims to have exfiltrated data on approximately 38 million ManoMano customers from a Zendesk-hosted customer support instance; ManoMano has not confirmed the breach and the 38 million figure carries medium confidence. The attack pattern aligns with credential-based access to a SaaS support platform rather than a platform vulnerability, making this a signal event for any organization using Zendesk or similar CRM/ticketing SaaS to audit API tokens, admin account access, and bulk export controls. GDPR Article 33 obligations apply if EU resident data is confirmed compromised.