All posts

Miinto breach exposes customer order data, phishing risk high

Manaal KhanJuly 11, 2026 at 6:46 PM4 min read
Miinto breach exposes customer order data, phishing risk high

Key Takeaways

Hallmark Data Breach: 1.7 Million Accounts Exposed (What To Do)

Miinto breach exposes customer order data, phishing risk high
Source: www.theregister.com
  • Miinto's internal order management system was compromised, exposing names, addresses, phone numbers, and payment method types
  • No card numbers or verification codes were accessed, but the data is sufficient for targeted phishing campaigns
  • The Copenhagen-based company operates in 14 countries and reported $132.9 million in annual revenue in January 2026

Danish fashion marketplace Miinto has confirmed a breach of its internal order management system. An unauthorized party accessed customer order data including names, email addresses, physical addresses, phone numbers, and payment method types. The Copenhagen-based company began notifying affected customers this week, warning them to watch for phishing attempts that exploit the stolen information.

Miinto did not disclose how many customers were affected or how the intruder gained access. UK-based customers have received notification emails, and the company has reported the incident to police and relevant data protection authorities. The breach is significant because Miinto operates in 14 countries and reported annual revenues of 869 million Danish kroner ($132.9 million) in January, an 86 percent year-over-year increase.

Advertisement

What data did the Miinto breach expose?

The compromised order management system contained typical e-commerce transaction data. Miinto confirmed attackers could access customer names, email addresses, physical shipping addresses, and phone numbers. Payment method information was also exposed, revealing whether customers paid by card, what type of card they used, or whether they used buy-now-pay-later services like Klarna.

Card numbers and verification codes were not compromised. That detail matters for fraud risk, but it does not reduce the phishing threat. The combination of a customer's name, address, phone number, and purchase history gives attackers everything they need to craft convincing impersonation emails.

Phishing risk is the real concern

Miinto explicitly warned customers about phishing attacks that impersonate the brand. This is the predictable second-order risk from any e-commerce breach. Attackers can send emails referencing real orders, real addresses, and real phone numbers. These messages pass the gut-check that filters out generic phishing attempts.

The company's notification email acknowledged this directly: "We are contacting you directly so that you know exactly what happened and what to watch out for." For enterprise security teams, this is a reminder that vendor breaches create downstream exposure. If your employees shop on compromised platforms using work email addresses, those addresses now sit in an attacker's targeting list.

Advertisement

Miinto's response and remediation

According to the notification email seen by The Register, Miinto claims to have removed the intruder from its systems and tightened access controls on the order management system. The company did not specify what security measures it added or what vulnerability the attacker exploited.

We have already strengthened the security of our systems, and we are continuing to invest in measures designed to reduce the risk of anything like this happening again.

— Miinto, customer notification email

The company did not disclose the breach through public channels. It did not respond to The Register's request for comment. That silence is notable. Under GDPR, organizations must notify affected individuals without undue delay when a breach poses a high risk to their rights and freedoms. Miinto appears to have met that obligation through direct email, but the lack of a public statement limits visibility for customers who may have missed the notification.

What IT leaders should take from this

Order management systems are high-value targets. They aggregate customer PII, transaction history, and payment data in one place. For companies running e-commerce operations, this breach is a reminder to audit access controls on these systems aggressively. Questions worth asking: Who has read access? Is access logged and monitored? Are credentials rotated? Is multi-factor authentication enforced?

The breach also highlights third-party risk. Miinto is a marketplace connecting customers to over 2,000 fashion boutiques. If your organization sells through such platforms, your customers' data sits in systems you do not control. That does not absolve you of responsibility in the eyes of your customers.

ℹ️

Logicity's Take

This breach follows a familiar pattern: order management system compromised, PII exposed, phishing warning issued. What stands out is what Miinto did not disclose. No breach timeline, no customer count, no root cause. For CIOs evaluating e-commerce platforms or marketplace integrations, Miinto's opacity should factor into vendor risk assessments. Platforms like Shopify, BigCommerce, and WooCommerce offer different security models and transparency track records. The question is not whether your marketplace partner will be breached, but how they will communicate when it happens.

Frequently Asked Questions

What data was exposed in the Miinto breach?

Customer names, email addresses, physical addresses, phone numbers, and payment method types (card type or use of services like Klarna). Card numbers and verification codes were not exposed.

How many customers were affected by the Miinto data breach?

Miinto has not disclosed the number of affected customers. The company operates in 14 countries, and UK-based customers have confirmed receiving breach notifications.

What should Miinto customers do now?

Watch for phishing emails that reference real order details. Verify any communication claiming to be from Miinto by logging into the platform directly rather than clicking email links.

Did the Miinto breach expose payment card numbers?

No. The breach exposed payment method types but not card numbers, expiration dates, or verification codes.

Has Miinto fixed the security vulnerability?

Miinto claims to have removed the attacker and increased access controls on its order management system, but has not disclosed the specific vulnerability or technical remediation steps.

ℹ️

Need Help Implementing This?

If your organization needs to assess vendor security risk or tighten controls on your own order management systems, Logicity's consulting partners can help. Contact us for recommendations on security audits and incident response planning.

Source: www.theregister.com

Advertisement
M

Manaal Khan

Tech & Innovation Writer

Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.