American furniture company Lovesac has disclosed that it suffered a data breach, which led to the exposure of personal information for an unspecified number of individuals. The company, known for its modular couches and bean bags, operates 267 showrooms across the U.S. and generates over $750 million in annual sales. According to notices sent to impacted individuals, hackers gained unauthorized access to the company’s internal systems and exfiltrated data between February 12 and March 3, 2025.
Lovesac discovered the breach on February 28, 2025, and managed to block the threat actor’s access to its network within three days. The company has not specified whether the stolen data belongs to customers, employees, or contractors, nor has it disclosed the exact number of people affected. While the notice indicates that full names and other personal information were compromised, the specific details of that information were not fully disclosed.
Although Lovesac’s official notice doesn’t name the attackers, the RansomHub ransomware gang claimed responsibility for the attack on March 3, 2025. The group added Lovesac to its extortion portal, threatening to leak the stolen data if a ransom was not paid. It is currently unclear if the gang followed through with its threat.
Lovesac stated that it has no indication that the stolen data has been misused, but it is urging all potentially impacted individuals to remain vigilant against phishing attempts. The company is providing a complimentary 24-month credit monitoring service through Experian to all recipients of the data breach notification.
Instructions for enrolling in the credit monitoring service are included in the notification letter, with a redemption deadline of November 28, 2025.
Reference:
