American furniture brand Lovesac is warning that it suffered a data breach impacting an undisclosed number of individuals, stating their personal data was exposed in a cybersecurity incident.
Lovesac is a furniture designer, manufacturer, and retailer, operating 267 showrooms across the United States, and having annual net sales of $750 million.
They are best known for their modular couch systems called ‘sactionals,’ as well as their bean bags called ‘sacs.’
According to the notices sent to impacted individuals, between February 12, 2025, and March 3, 2025, hackers gained unauthorized access to the company’s internal systems and stole data hosted on those systems.
Lovesac discovered the breach on February 28, 2025, which means it took them three days to fully remediate the situation and block the threat actor’s access to its network.
The data that has been stolen includes full names and other personal information that hasn’t been disclosed in the notice sample shared with the Attorney General’s offices.
The company has not clarified whether the incident impacts customers, employees, or contractors, and neither has it disclosed the exact number of individuals affected.
Enclosed in the notification letter, recipients will find instructions on enrolling in 24 24-month credit monitoring service through Experian, redeemable until November 28, 2025.
The company noted that it currently has no indication that the stolen information has been misused, but urges impacted individuals to remain vigilant against phishing attempts.
Ransomware gang claimed attack on Lovesac
Although Lovesac does not name the attackers and didn’t mention data encryption in the letters, the RansomHub ransomware gang claimed an attack on March 3, 2025.
The threat actors added Lovesac onto their extortion portal, announcing the breach, indicating plans to leak the stolen data if a ransom payment isn’t made. We were unable to determine if they followed up with this threat.
The RansomHub ransomware-as-a-service (RaaS) operation emerged in February 2024 and has since amassed a roster of high-profile victims, including staffing firm Manpower, oilfield services giant Halliburton, the Rite Aid pharmacy chain, Kawasaki’s European division, the Christie’s auction house, U.S. telecom provider Frontier Communications, the Planned Parenthood healthcare nonprofit, and Italy’s Bologna Football Club.
The ransomware operation quietly shut down in April 2025, with many of their affiliates moving to DragonForce.
BleepingComputer has contacted Lovesac to learn more about the incident, its impact, and how many customers were impacted, and will update this post if we receive a response.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
