The LoveSac Company, a US-based furniture retailer, suffered a ransomware attack in early March 2025, attributed to the RansomHub group. Unauthorized actors gained access to internal systems between February 12 and March 3, 2025, exfiltrating sensitive personal data, including names and unspecified personal identifiers. While no confirmed misuse of the stolen data has been reported, the breach prompted LoveSac to offer two years of complimentary identity monitoring and credit protection to affected individuals. The company detected suspicious activity on February 28, 2025, and later confirmed the data theft. RansomHub threatened to publish the stolen information unless a ransom was paid, though no public confirmation of payment exists. The attack vector remains unconfirmed but aligns with RansomHub’s typical methods, such as exploiting unpatched systems, weak credentials, or RDP vulnerabilities. LoveSac has since strengthened security measures, including policy reviews, access controls, and regulatory notifications. The incident highlights risks to customer data integrity and potential long-term reputational harm, despite no immediate fraudulent activity linked to the breach.

The Maine Office of the Attorney General reported a data breach involving The Lovesac Company on August 30, 2023, which occurred on July 27, 2023. The breach involved inadvertent disclosure of Social Security numbers and affected a total of 208 individuals. The company offered 24 months of credit monitoring and identity restoration services through Experian.