bleepingcomputer.com By Bill Toulas
September 8, 2025

American furniture brand Lovesac is warning that it suffered a data breach impacting an undisclosed number of individuals, stating their personal data was exposed in a cybersecurity incident.

Lovesac is a furniture designer, manufacturer, and retailer, operating 267 showrooms across the United States, and having annual net sales of $750 million.

They are best known for their modular couch systems called 'sactionals,' as well as their bean bags called 'sacs.'
According to the notices sent to impacted individuals, between February 12, 2025, and March 3, 2025, hackers gained unauthorized access to the company's internal systems and stole data hosted on those systems.

Lovesac discovered the breach on February 28, 2025, which means it took them three days to fully remediate the situation and block the threat actor's access to its network.

The data that has been stolen includes full names and other personal information that hasn't been disclosed in the notice sample shared with the Attorney General's offices.

The company has not clarified whether the incident impacts customers, employees, or contractors, and neither has it disclosed the exact number of individuals affected.

Enclosed in the notification letter, recipients will find instructions on enrolling in 24 24-month credit monitoring service through Experian, redeemable until November 28, 2025.

The company noted that it currently has no indication that the stolen information has been misused, but urges impacted individuals to remain vigilant against phishing attempts.

Ransomware gang claimed attack on Lovesac
Although Lovesac does not name the attackers and didn't mention data encryption in the letters, the RansomHub ransomware gang claimed an attack on March 3, 2025.

The threat actors added Lovesac onto their extortion portal, announcing the breach, indicating plans to leak the stolen data if a ransom payment isn't made. We were unable to determine if they followed up with this threat.

The RansomHub ransomware-as-a-service (RaaS) operation emerged in February 2024 and has since amassed a roster of high-profile victims, including staffing firm Manpower, oilfield services giant Halliburton, the Rite Aid pharmacy chain, Kawasaki's European division, the Christie's auction house, U.S. telecom provider Frontier Communications, the Planned Parenthood healthcare nonprofit, and Italy's Bologna Football Club.

The ransomware operation quietly shut down in April 2025, with many of their affiliates moving to DragonForce.

BleepingComputer has contacted Lovesac to learn more about the incident, its impact, and how many customers were impacted, and will update this post if we receive a response.

• Initial access was via a password spray attack against an exposed RDP server, targeting numerous accounts over a four-hour period.
• Mimikatz and Nirsoft were used to harvest credentials, with evidence of LSASS memory access.
• Discovery was accomplished using living-off-the-land binaries as well as Advanced IP Scanner and NetScan.
• Rclone was used to exfiltrate data to a remote server using SFTP.
• The threat actor deployed RansomHub ransomware network wide, which spread over SMB and was executed using remote services.

In an incident response in Q4 of 2024, GuidePoint Security identified evidence of a threat actor utilizing a Python-based backdoor to maintain access to compromised endpoints. The threat actor later leveraged this access to deploy RansomHub encryptors throughout the entire impacted network. ReliaQuest documented an earlier version of this malware on their website in February 2024.

I pirati del gruppo RansomHub pubblicano su Dark Web alcuni dei documenti sottratti e chiedono al club di Serie A di pagare un riscatto

Kawasaki Motors Europe has announced that it's recovering from a cyberattack that caused service disruptions as the RansomHub ransomware gang threatens to leak stolen data.

ESET découvre que le groupe CosmicBeetle s'associe à d'autres gangs de ransomwares et cible des entreprises en France. Tribune ESET. Les chercheurs d'ESET ont mené l’enquête sur ScRansom, un nouveau ransomware développé par le groupe CosmicBeetle. CosmicBeetle a débuté avec les outils Lockbit qui ont fuité. CosmicBeetle est probablement devenu récement un affilié RansomHub ScRansom

August 2024 witnessed a noticeable increase in ransomware activity, with emerging groups like Lynx and RansomHub showing dramatic...

Sophos discovers the threat actors behind RansomHub ransomware using EDRKillShifter in attacks

Discover how RansomHub's ransomware-as-a-service targets Windows, Linux, and ESXi systems.

The Dallas-based company had said in a regulatory filing in April that a cybercrime group was responsible for a data breach. The gang added Frontier to its leak site on June 1.

The hacking group RansomHub is threatening to release “sensitive personal information” about the auction house’s clients.