Hello Cake sexual wellness company reports data breach exposing health data
Learn More
Hello Cake, a sexual wellness company based in North Hollywood, California, is reporting a data security incident that compromised sensitive customer information including prescription-related and personal health data.
The breach occurred on July 25, 2025 and exposed the personal and medical information of customers who used the company's telehealth prescription services.
The incident was caused by a misconfigured access setting on a single file stored in a cloud-based system during a platform migration process. The compromised file contained both personally identifiable information (PII) and protected health information (PHI) and was accessible via a direct url and file path without authentication. An attacker discovered and accessed the file path and copied the sensitive data.
The threat actor known as "888" claimed responsibility for the breach, posting details and samples of the stolen data on the open web on July 21, 2025, four days before Hello Cake detected the security incident. Exposed data includes:
- Full names
- Dates of birth
- Email addresses
- Phone numbers
- Order IDs
- Transaction IDs
- Shipping addresses
- Prescribed medication names
- Prescription identifiers
- Prescription expiration dates
- Prescription refills
- Prices
- Order statuses
- Shipping dates
- Discount and coupon information
- Other order-related data
The number of affected individuals is not disclosed.
The company reported the breach to the California Attorney General on September 19, 2025.
The company is providing detailed guidance to affected individuals, including steps for monitoring credit reports, placing fraud alerts, and freezing credit files. Hello Cake has established a dedicated incident response phone line at 866-291-1599, available Monday through Friday from 8 a.m. to 5:30 p.m. Central Time, to assist customers with questions or concerns.
