Full Report
In February 2026, the porn addiction app Quitbro allegedly suffered a data breach that exposed 23k unique email addresses. The data also included users’ years of birth, responses to questions within the app and their last recorded relapse time. The app’s maker, Plantake, did not respond to multiple attempts to contact them about the incident.
Analysis Summary
# Incident Report: Quitbro Data Breach (Plantake)
## Executive Summary
In February 2026, the porn addiction recovery app "Quitbro" allegedly suffered a significant data breach involving the exposure of approximately 23,000 unique user accounts. The compromised data included highly sensitive information such as email addresses, years of birth, and behavioral data including app survey responses and recorded relapse times. The parent company, Plantake, has notably failed to respond to disclosure attempts, leading to the incident being classified as a "Sensitive Breach."
## Incident Details
- **Discovery Date:** February 2026 (Reported via Have I Been Pwned on March 2, 2026)
- **Incident Date:** February 2026
- **Affected Organization:** Plantake (App: Quitbro)
- **Sector:** Health & Wellness / Mobile Applications
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** February 2026
- **Vector:** Unknown (Lack of disclosure from Plantake)
- **Details:** An external party gained unauthorized access to the Quitbro user database.
### Lateral Movement
- **Details:** Specific lateral movement techniques are currently categorized as "Unknown" due to a lack of forensic data from the developer.
### Data Exfiltration/Impact
- **Details:** 22,900 unique email addresses and associated sensitive metadata (years of birth, app behavioral data, relapse history) were exfiltrated from the production environment.
### Detection & Response
- **Detection:** The breach was detected by security researchers/Have I Been Pwned.
- **Response:** Multiple attempts were made to contact Plantake about the incident; however, the company did not respond. Have I Been Pwned added the breach to its database as a "Sensitive Breach" on March 2, 2026.
## Attack Methodology
- **Initial Access:** Unknown (Likely vulnerability in API or database security)
- **Persistence:** Unknown
- **Privilege Escalation:** Unknown
- **Defense Evasion:** Unknown
- **Credential Access:** Potential access to usernames and linked email accounts.
- **Discovery:** Unknown
- **Lateral Movement:** Unknown
- **Collection:** Automated extraction of user profile tables containing recovery data.
- **Exfiltration:** Unauthorized transfer of 23k records.
- **Impact:** Privacy violation and potential extortion risk due to the nature of the app's content.
## Impact Assessment
- **Financial:** Possible regulatory fines (GDPR/CCPA) for failure to report a breach of health-related data.
- **Data Breach:** 22,900 unique records. Highly sensitive behavioral data (relapse times) exposed.
- **Operational:** No reported downtime, but total loss of incident management control.
- **Reputational:** Severe; the breach involves sensitive personal addiction data, and the company's lack of response suggests a failure in corporate governance.
## Indicators of Compromise
- **Network indicators:** None currently disclosed.
- **File indicators:** None currently disclosed.
- **Behavioral indicators:** None currently disclosed.
## Response Actions
- **Containment:** None confirmed by the developer.
- **Eradication:** None confirmed by the developer.
- **Recovery:** Third-party notification via Have I Been Pwned to affected users.
## Lessons Learned
- **Communication Failure:** The total lack of response from Plantake aggravated the severity of the incident. Maintaining a security contact (security.txt) is essential.
- **Sensitive Data Handling:** Storing non-anonymized behavioral data (relapse times) creates an immense liability and high personal risk for users in the event of a breach.
- **Third-Party Discovery:** Organizations are often not the first to know about their own breaches; external monitoring is critical.
## Recommendations
- **Anonymization:** Implement data masking or anonymization for behavioral metrics so that relapse data is not tied directly to email addresses.
- **Incident Response Planning:** Establish a clear communication plan for responding to security researchers and the public.
- **Data Minimization:** Evaluate if the collection of years of birth and specific timestamps for relapses is strictly necessary for app functionality.
- **Encryption:** Ensure all PII (Personally Identifiable Information) is encrypted at rest within the database.