Tenga data breach exposes emails and order details of 600 US customers after employee account hack

Japanese sex toy manufacturer Tenga has notified approximately 600 U.S. customers that a hacker accessed an employee’s professional email account, exposing customer email addresses and correspondence history and sending phishing messages during a brief window in February.

Tenga, a Tokyo-based company founded in 2005 that designs and sells adult products globally, said an unauthorized party gained access to one employee’s mailbox, allowing visibility into the contents of the inbox. The compromised data potentially included customer names, email addresses and historical email correspondence, which may have contained order details or customer service inquiries.

The company identified what it described as a localized security incident involving a limited number of U.S. customers who had contacted its customer service channel. A forensic review determined that approximately 600 individuals in the United States were affected. The company said it proactively contacted those who may have been impacted to provide guidance.

Tenga stated that its global systems and databases outside the United States remain secure and unaffected. No Social Security numbers, billing information, credit card data or Tenga Store passwords were compromised in the incident.

The attacker also used the breached email account to send phishing messages, including an attachment, to the employee’s contacts, which included customers. The company said the spam activity occurred between 12 a.m. and 1 a.m. Pacific Time on Feb. 12, 2026. Tenga told customers there is no risk to their devices or data if the suspicious attachment was not opened.

The company said its email and e-commerce systems are protected through data siloing, multifactor authentication and user management controls that limit access to essential personnel. Sensitive information, including payment details and passwords, is encrypted and hashed by default, preventing access even by company employees.

Following the breach, Tenga reset the affected employee’s credentials and enabled multifactor authentication across its systems. The company declined to disclose how the employee’s email account was compromised and did not say whether multifactor authentication had been in place on that specific account before the incident.

Tenga is advising affected customers to update their account passwords regularly, avoid reusing passwords across platforms, review account security settings and remain alert for suspicious emails, particularly those appearing to originate from the compromised employee account.

The company has not confirmed whether customers outside the United States were affected. Tenga says it has shipped more than 162 million products worldwide.