Lovesac, the American furniture designer, manufacturer and retailer known for its modular “sactionals” and bean bags, said a cybersecurity incident exposed personal data of an undisclosed number of individuals. The company operates 267 showrooms across the United States and reported annual net sales of about $750 million. The breach notices indicate that the data stolen included full names and other personal information, though the company has not disclosed the exact scope or the total number of affected individuals.
The breach occurred between February 12, 2025, and March 3, 2025. Lovesac says it discovered the intrusion on February 28, 2025, and that it took roughly three days to fully remediate the situation and block the threat actor’s access to its network.
Recipients of the breach notices were offered enrollment in a 24-month credit monitoring service through Experian, redeemable until November 28, 2025. The notices do not specify the number of people affected or confirm whether customers, employees, or contractors were impacted. The company said there is currently no indication that the stolen information has been misused, but urged impacted individuals to remain vigilant against phishing and other social-engineering attempts.
Separately, the ransomware group RansomHub claimed responsibility for the attack and added Lovesac to its extortion portal on March 3, 2025, indicating plans to leak the stolen data if a ransom were not paid. Lovesac did not name the attackers or discuss data encryption in its notices. The activity surrounding Lovesac appears in the broader context of RansomHub’s operations, which have targeted high-profile organizations in various sectors in recent years.
Bleeding into broader industry coverage, Lovesac’s notices and the broader ransomware narrative have drawn attention from security researchers and industry watchers.