Have I Been Pwned Adds Quitbro and Lovora Breaches Linked to Plantake
Have I Been Pwned (HIBP) added two alleged February 2026 breaches affecting Plantake-made mobile apps: porn addiction app Quitbro and couples/relationship app Lovora. Quitbro exposure is listed as sensitive and not publicly searchable on HIBP; it allegedly impacted 23k unique email addresses and included years of birth, in-app questionnaire responses, and users’ last recorded relapse time. Lovora allegedly exposed 496k unique email addresses along with display names, profile photos, and other personal information collected through app usage; in both cases, Plantake reportedly did not respond to multiple contact attempts.
Separately, Canadian retailer Canadian Tire disclosed an October 2025 breach of an e-commerce customer database affecting 38+ million accounts, with exposed data including names, addresses, emails, year of birth, and PBKDF2 password hashes; a smaller subset included full dates of birth and some records included truncated payment card data. The company stated in-store transactions and certain business units (e.g., Canadian Tire Bank and Triangle Rewards) were not impacted, and it reported remediation, regulatory notification, customer outreach, and credit monitoring; HIBP also added the Canadian Tire dataset, but it is a distinct incident from the Plantake app breaches.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Plantake does not respond to inquiries about reported Lovora and Quitbro breaches
Following reporting on the alleged February 2026 breaches, Plantake did not respond to multiple contact attempts regarding either Lovora or Quitbro. No public confirmation or remediation details were provided in the referenced material.
Quitbro allegedly suffers sensitive data breach affecting 23,000 users
In February 2026, the porn addiction app Quitbro allegedly experienced a data breach exposing 23,000 unique email addresses. The compromised data reportedly included years of birth, responses to in-app questions, and users' last recorded relapse time, making the incident highly sensitive.
Lovora allegedly suffers data breach exposing 496,000 accounts
In February 2026, the couples and relationship app Lovora allegedly experienced a data breach. The exposed data reportedly included 496,000 unique email addresses, display names, profile photos, and other personal information collected through the app.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Canadian Tire E-commerce Database Breach Exposes Data for Over 38 Million Accounts
**Canadian Tire Corporation** disclosed a major breach of its **e-commerce customer database** after identifying unauthorized access on **October 2, 2025**, exposing personal data tied to **38+ million customer accounts**. Exposed data included names, physical addresses, email addresses, year of birth (and for **<150,000** accounts, full dates of birth), and **encrypted passwords**; some records also contained **truncated payment card numbers**. The company stated the exposed financial data could not be used to conduct transactions, and reported **no impact** to in-store systems, *Canadian Tire Bank*, or *Triangle Rewards*. Canadian Tire reported it **remediated the underlying issue**, notified regulators, and planned customer notifications and **credit monitoring**. *Have I Been Pwned* added the incident to its corpus, reporting roughly **42 million records** (including **~38.3 million email addresses**) and indicating the dataset includes **PBKDF2 password hashes** along with additional fields such as phone numbers and gender, increasing the likelihood of credential-stuffing and identity-fraud follow-on activity.
Mar 27, 2026
Massive Addition of Nearly 2 Billion Compromised Accounts to Have I Been Pwned
Have I Been Pwned (HIBP), the widely used data breach notification service, has indexed nearly 2 billion unique email addresses and 1.3 billion passwords from newly obtained datasets, marking the largest single update in the platform's history. The data, sourced in part from threat intelligence provider Synthient, includes both stealer log data—collected by malware from infected machines—and credential stuffing lists, which are typically compiled from previous breaches and used to facilitate unauthorized access to accounts across multiple services. This update brings the total number of accounts tracked by HIBP to over 15 billion, significantly expanding the visibility of exposed credentials for individuals and organizations. The newly indexed records include 183 million unique email addresses uploaded on October 21, as well as a much larger corpus totaling nearly 2 billion addresses and 1.3 billion passwords, 625 million of which were previously unseen. Users are encouraged to check their exposure using HIBP's free search tools and to take immediate action if their credentials are found, such as changing passwords and enabling multi-factor authentication. The scale and diversity of the data highlight the ongoing risks of password reuse and the importance of proactive credential management to mitigate the threat of account takeover attacks.
Mar 21, 2026
Have I Been Pwned Adds Unverified Speedio and Pemiblanc Breach Listings
Have I Been Pwned added breach entries for **Speedio** and **Pemiblanc** and labeled both incidents as **unverified**, indicating that some of the exposed records may be legitimate but the full datasets could not be authenticated beyond reasonable doubt. The listings were nevertheless published because they may contain personal information that affected individuals would want to know is circulating online. The disclosures reflect HIBP's practice of retaining alleged breaches when there is evidence of real personal data exposure even if the broader incident cannot be conclusively validated. For defenders and privacy teams, the entries signal potential exposure tied to the two services and warrant user notification, credential hygiene checks, and monitoring for follow-on abuse involving leaked personal data.
Mar 27, 2026