Tenga Customer Data Exposed After Employee Email Account Compromise
Tenga disclosed a data breach after an attacker gained unauthorized access to a single employee’s professional email account, allowing visibility into the mailbox contents and enabling outbound spam/phishing to the employee’s contacts, including customers. The exposed information potentially included customer names, email addresses, and historical email correspondence, which may have contained order details or customer service inquiries; Tenga said a forensic review determined the incident affected approximately 600 U.S. customers.
Tenga characterized the incident as localized and limited in scope, stating its broader systems and databases outside the U.S. were not impacted and that no Social Security numbers, payment card data, billing information, or store passwords were compromised. Post-incident actions described included resetting the affected employee’s credentials and implementing or expanding multi-factor authentication across systems; customers were advised to remain vigilant for suspicious emails and consider changing passwords as a precaution, particularly for messages appearing to come from the impacted employee account.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Tenga notifies about 600 affected U.S. customers
Tenga notified impacted customers in the United States that their information may have been exposed in the email account breach and said affected individuals were proactively contacted. The company advised customers to change passwords, improve password hygiene, and watch for suspicious emails.
Tenga resets credentials and enables MFA after the breach
In response to the incident, Tenga reset the affected employee’s credentials and enabled multi-factor authentication across its systems. The company did not say whether MFA had been enabled on the compromised mailbox before the breach.
Compromised account used to send phishing emails
During a short window from 12 a.m. to 1 a.m. PT, the attacker used the compromised employee account to send spam or phishing emails with an attachment to the employee’s contacts. This activity was part of the same mailbox compromise disclosed by Tenga.
Attacker accesses Tenga employee email account
An unauthorized party compromised a single Tenga employee’s professional email mailbox, potentially viewing or stealing inbox contents including customer names, email addresses, and historical correspondence that may have contained order details or customer service inquiries. Tenga later said the incident affected about 600 U.S. customers and that systems and databases outside the United States were not impacted.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Canadian Tire E-commerce Database Breach Exposes Data for Over 38 Million Accounts
**Canadian Tire Corporation** disclosed a major breach of its **e-commerce customer database** after identifying unauthorized access on **October 2, 2025**, exposing personal data tied to **38+ million customer accounts**. Exposed data included names, physical addresses, email addresses, year of birth (and for **<150,000** accounts, full dates of birth), and **encrypted passwords**; some records also contained **truncated payment card numbers**. The company stated the exposed financial data could not be used to conduct transactions, and reported **no impact** to in-store systems, *Canadian Tire Bank*, or *Triangle Rewards*. Canadian Tire reported it **remediated the underlying issue**, notified regulators, and planned customer notifications and **credit monitoring**. *Have I Been Pwned* added the incident to its corpus, reporting roughly **42 million records** (including **~38.3 million email addresses**) and indicating the dataset includes **PBKDF2 password hashes** along with additional fields such as phone numbers and gender, increasing the likelihood of credential-stuffing and identity-fraud follow-on activity.
Mar 27, 2026
Betterment Social-Engineering Breach Exposes 1.4 Million Customer Records
**Betterment** disclosed that a **social engineering** attack against a **third-party platform account** used for customer communications enabled unauthorized access to internal systems in early January, leading to the exposure of personal data tied to **1,435,174 accounts**. The intruder used the access to send **fraudulent crypto-themed promotional messages** impersonating Betterment and promising to “triple” cryptocurrency sent to attacker-controlled wallets (including **Bitcoin and Ethereum** addresses). Betterment said it revoked the unauthorized access the same day it was detected, warned customers to ignore the messages, and initiated a forensic investigation with external incident-response support. Breach analysis and indexing by **Have I Been Pwned** indicated the exposed dataset included **email addresses, names, and location data**, with reporting also citing additional PII such as **dates of birth, physical addresses, phone numbers, device information, and employment-related details**. Betterment stated there is **no evidence** that customer investment accounts were accessed or that **passwords/authentication tokens** were compromised, characterizing the incident as an exposure of contact/identity data rather than account credentials. Separate reporting noted Betterment also experienced **intermittent outages attributed to a DDoS attack and extortion attempts** around the same period, but this was described as distinct from the social-engineering-driven data exposure.
Mar 21, 2026
ManoMano Customer Data Exposed via Third-Party Customer Service Provider Breach
European DIY e-commerce platform **ManoMano** disclosed a large-scale data breach after threat actors compromised a **third-party customer service provider (subcontractor)**, leading to the unauthorized extraction of customer data tied to accounts and support interactions. The incident was identified in **January 2026** and affects roughly **38 million** customers across ManoMano’s European markets; the company reported no evidence that its internal systems were altered and stated that **passwords were not accessed**. Reportedly exposed data varies by customer but includes **names, email addresses, phone numbers, and customer service communications** (including support tickets and potentially attachments). A threat actor using the alias **“Indra”** claimed responsibility on a hacker forum and alleged possession of approximately **37.8 million** user records, a figure broadly consistent with ManoMano’s notification, though the claim has not been independently verified. ManoMano said it **blocked the compromised account, revoked the subcontractor’s access**, and implemented **enhanced access controls** while continuing its investigation.
Mar 21, 2026