Full Report
In July 2025, the sexual healthcare product maker Hello Cake suffered a data breach. The data was subsequently posted on a public hacking forum and included 23k unique email addresses along with names, phone numbers, physical addresses, dates of birth and purchases.
Analysis Summary
# Incident Report: Hello Cake Data Breach (July 2025)
## Executive Summary
Sexual healthcare product maker Hello Cake suffered a sensitive data breach in July 2025, resulting in the exposure of personal information for approximately 23,000 unique users. The compromised data, which included names, email addresses, physical addresses, dates of birth, and purchase history, was later posted to a public hacking forum. The response focused on notifying affected parties and advising users to change credentials and enable MFA.
## Incident Details
- Discovery Date: 15 Oct 2025 (When added to HIBP index)
- Incident Date: July 2025
- Affected Organization: Hello Cake
- Sector: Sexual Healthcare Products/E-commerce
- Geography: Not explicitly disclosed (Implied US based on notification structure)
## Timeline of Events
### Initial Access
- Date/Time: July 2025 (Breach Occurred)
- Vector: Unknown
- Details: Attackers successfully accessed and exfiltrated customer data.
### Lateral Movement
- Unknown. The report focuses on data exfiltration rather than internal network activity.
### Data Exfiltration/Impact
- Approximately 22.9 thousand unique email addresses, names, phone numbers, physical addresses, dates of birth, and purchase records were stolen.
### Detection & Response
- Detection: The breach details were eventually indexed by Have I Been Pwned (HIBP) on October 15, 2025, indicating public exposure occurred prior to this date.
- Response actions: The organization issued a formal notification to customers (as detailed in a linked PDF notification). Public recommendations included changing passwords and enabling Two-Factor Authentication (2FA).
## Attack Methodology
- Initial Access: Unknown.
- Persistence: Unknown.
- Privilege Escalation: Unknown.
- Defense Evasion: Unknown.
- Credential Access: Unknown.
- Discovery: Unknown.
- Lateral Movement: Unknown.
- Collection: Theft of customer profile and transactional data.
- Exfiltration: Data posted to a public hacking forum.
- Impact: Sensitive PII and purchase history leakage, classified as a 'Sensitive Breach'.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: ~23,000 records containing PII: Dates of birth, Email addresses, Names, Phone numbers, Physical addresses, and Purchase history.
- Operational: Not disclosed, though data exposure is confirmed.
- Reputational: Negative publicity stemming from the sensitive nature of the leaked data (sexual healthcare products).
## Indicators of Compromise
The article does not provide specific TTPs or IoCs (like domains, IPs, or hashes), as the focus is on the resultant data exposure and user notification.
## Response Actions
- Notification: Notification emails were sent to affected users.
- User Guidance: Advised users to change passwords used since 2025 and implement Two-Factor Authentication.
## Lessons Learned
- Customer data stored by the organization contained highly sensitive PII, including dates of birth and specific purchase histories, necessitating stringent protection.
- The public disclosure mechanism (posting on a public forum) implies a significant failure in preventing data exfiltration.
## Recommendations
- Immediately review and update all customer passwords potentially exposed in the breach.
- Mandate and enforce the use of strong, unique passwords, ideally managed via a password manager.
- Implement Multi-Factor Authentication (MFA/2FA) across all applicable customer accounts immediately.
- Conduct a thorough security audit focusing on data storage and access controls for sensitive customer databases.