American furnishings model Lovesac is warning that it suffered a data breach impacting an undisclosed variety of people, stating their private knowledge was uncovered in a cybersecurity incident.
Lovesac is a furnishings designer, producer, and retailer, working 267 showrooms throughout the USA, and having annual web gross sales of $750 million.
They’re greatest identified for his or her modular sofa programs known as ‘sactionals,’ in addition to their bean baggage known as ‘sacs.’
In line with the notices despatched to impacted people, between February 12, 2025, and March 3, 2025, hackers gained unauthorized entry to the corporate’s inside programs and stole knowledge hosted on these programs.
Lovesac found the breach on February 28, 2025, which implies it took them three days to totally remediate the scenario and block the risk actor’s entry to its community.
The information that has been stolen contains full names and different private data that hasn’t been disclosed within the discover pattern shared with the Legal professional Basic’s workplaces.
The corporate has not clarified whether or not the incident impacts clients, workers, or contractors, and neither has it disclosed the precise variety of people affected.
Enclosed within the notification letter, recipients will discover directions on enrolling in 24 24-month credit score monitoring service by way of Experian, redeemable till November 28, 2025.
The corporate famous that it at the moment has no indication that the stolen data has been misused, however urges impacted people to stay vigilant in opposition to phishing makes an attempt.
Ransomware gang claimed assault on Lovesac
Though Lovesac doesn’t title the attackers and did not point out knowledge encryption within the letters, the RansomHub ransomware gang claimed an assault on March 3, 2025.
The risk actors added Lovesac onto their extortion portal, saying the breach, indicating plans to leak the stolen knowledge if a ransom fee is not made. We have been unable to find out in the event that they adopted up with this risk.
The RansomHub ransomware-as-a-service (RaaS) operation emerged in February 2024 and has since amassed a roster of high-profile victims, together with staffing agency Manpower, oilfield companies large Halliburton, the Ceremony Assist pharmacy chain, Kawasaki’s European division, the Christie’s public sale home, U.S. telecom supplier Frontier Communications, the Deliberate Parenthood healthcare nonprofit, and Italy’s Bologna Soccer Membership.
The ransomware operation quietly shut down in April 2025, with lots of their associates shifting to DragonForce.
BleepingComputer has contacted Lovesac to study extra concerning the incident, its impression, and what number of clients have been impacted, and can replace this put up if we obtain a response.
46% of environments had passwords cracked, almost doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and knowledge exfiltration tendencies.
