Clothing retailer MANGO has confirmed a data breach after one of its external marketing vendors was compromised. The company began sending official notices to customers on October 14, 2025, confirming that certain personal details were exposed in the incident. The MANGO data breach highlights the ongoing risks tied to third-party service providers and how attackers can exploit even limited customer information.
Background on MANGO
MANGO, founded in Barcelona in 1984, has grown from a single Spanish clothing store into one of the world’s largest and most recognizable fashion retailers. The company specializes in contemporary apparel, accessories, and lifestyle products, balancing affordable pricing with European-inspired designs. Today, MANGO operates more than 2,800 physical stores across 120 countries, alongside a strong e-commerce presence that reaches millions of customers worldwide. With a workforce of over 16,000 employees, the brand continues to expand its global footprint while competing with other fast fashion and mid-tier clothing retailers such as Zara, H&M, and Uniqlo.
Financially, MANGO generates around €3.3 billion in annual revenue, with about 30 percent coming from its online channels. This reliance on digital marketing and online sales has made the company more vulnerable to cyber risks. A breach of customer data, even when limited to basic contact details, can undermine trust, disrupt marketing efforts, and harm the reputation MANGO has built over decades. As a result, cybersecurity incidents connected to third-party vendors carry serious consequences not only for affected customers but also for the company’s long-term brand integrity and international operations.
Details of the MANGO Data Breach
According to the notice, the breach originated from an external marketing provider and involved unauthorized access to customer data used in promotional activities. The exposed information includes:
- First name (last names were not included)
- Country
- Postal code
- Email address
- Telephone number
MANGO emphasized that no sensitive information such as banking details, credit card numbers, government IDs, passports, account credentials, or passwords were affected by this incident. The company also stated that its internal IT systems and corporate infrastructure remain fully secure and unaffected.
MANGO’s Official Response
MANGO assured customers that all security protocols were immediately activated following the discovery of the breach. The company also reported the incident to the Spanish Data Protection Agency (AEPD) and other relevant authorities, in accordance with applicable laws.
To support customers, MANGO has set up a dedicated email address (personaldata@mango.com) and telephone hotline (900 150 543) for questions or concerns about the breach.
Aviso importante sobre datos personales
Fecha: 14 de octubre de 2025
En línea con nuestro compromiso con la seguridad y privacidad de nuestros clientes, MANGO quiere informarte que uno de los servicios de marketing externo ha sufrido un acceso no autorizado a determinados datos personales de clientes.
La información expuesta se limita a datos de contacto personales utilizados en campañas de marketing: exclusivamente nombre (no se han visto comprometidos tus apellidos), país, código postal, dirección de correo electrónico y teléfono. Te informamos que todo sigue funcionando con normalidad y que la infraestructura y los sistemas corporativos de Mango no se han visto comprometidos.
En ningún caso se ha visto comprometida tu información bancaria, tus tarjetas de crédito, tu DNI/pasaporte o tus credenciales de acceso ni contraseñas.
Nada más tener conocimiento de esta situación, MANGO ha activado de inmediato todos los protocolos de seguridad. De conformidad con la normativa vigente y siguiendo nuestras políticas internas, MANGO ha informado a la Agencia Española de Protección de Datos (AEPD) y Autoridades.
De manera preventiva emitimos esta comunicación y recomendamos a todos nuestros clientes prestar atención a cualquier comunicación sospechosa o solicitudes de acciones inusuales tanto por correo electrónico como por teléfono.
MANGO pone a disposición el correo electrónico de nuestro Servicio de Atención al Cliente (personaldata@mango.com) y teléfono (900 150 543) para cualquier cuestión adicional y lamentamos cualquier molestia que este incidente puntual pueda haberte causado.
Como siempre, queremos agradecer tu confianza y compromiso con nuestra marca.
Equipo Mango
Important Notice About Personal Data
Date: October 14, 2025
In line with our commitment to the security and privacy of our customers, MANGO wishes to inform you that one of our external marketing services has suffered unauthorized access to certain customer personal data.
The exposed information is limited to personal contact data used in marketing campaigns: exclusively first name (last names have not been compromised), country, postal code, email address, and telephone number. We inform you that everything continues to function normally and that Mango’s corporate infrastructure and systems have not been compromised.
At no point has your banking information, credit card details, ID/passport, access credentials, or passwords been compromised.
As soon as we became aware of this situation, MANGO immediately activated all security protocols. In accordance with current regulations and following our internal policies, MANGO has informed the Spanish Data Protection Agency (AEPD) and the relevant authorities.
As a preventive measure, we are issuing this communication and recommend that all our customers pay attention to any suspicious communications or unusual requests received by email or telephone.
MANGO has made available the email address of our Customer Service (personaldata@mango.com) and the telephone number (900 150 543) for any additional queries, and we regret any inconvenience that this isolated incident may have caused you.
As always, we want to thank you for your trust and commitment to our brand.
The Mango Team
Risks and Impact
Although the breach did not involve financial data or account credentials, the compromised information can still be abused by cybercriminals. Attackers often use names, email addresses, and phone numbers to craft targeted phishing scams and social engineering attempts. Customers may be at higher risk of receiving fraudulent emails or calls impersonating MANGO or other trusted companies.
Such data can also be combined with information available from other breaches or online sources, making it easier for attackers to build convincing fake messages or launch malware-laced campaigns. This increases the importance of customer awareness and caution following the incident.
Key Takeaways
- The MANGO data breach was caused by unauthorized access to an external marketing vendor.
- Exposed data includes first names, country, postal codes, email addresses, and phone numbers.
- No financial information, login credentials, or government IDs were compromised.
- MANGO has activated its security protocols, reported the incident to the AEPD, and notified affected customers.
- Customers should remain vigilant for phishing emails or suspicious calls that may use the leaked data.
Although sensitive details like payment cards and credentials were not exposed, the MANGO breach still increases the risk of phishing scams and targeted fraud attempts. Customers are urged to verify communications directly with MANGO, stay alert for fake shipping or promotional messages, and protect their devices by running scans with a trusted anti-malware tool such as Malwarebytes.
For continuing coverage of this incident and similar cases, visit our dedicated data breach section.
