Hello Cake Data Breach Exposes Protected Health Information

On July 25, 2025, Hello Cake, a sexual wellness company based in North Hollywood, Calif., experienced a significant data breach involving sensitive customer information.

The breach stemmed from a misconfigured access setting on a single file stored in a cloud-based system during a routine platform migration. This file, which contained personal and prescription-related information, was accessible only via its exact internet address (direct file path) and was not searchable or browsable online. However, an unauthorized third party accessed and copied the file, as determined during an internal investigation completed on Aug. 22, 2025.

The compromised data included a range of personally identifiable information (PII) and protected health information (PHI): full names, dates of birth, email addresses, phone numbers, order IDs, transaction IDs, shipping addresses, prescribed medication names, prescription identifiers, prescription expiration dates, prescription refills, prices, order statuses, shipping dates, discount and coupon information, and other order-related data.

The threat actor known as “888” claimed responsibility for the breach, posting details and samples of the stolen data on the open web on July 21, 2025. The incident impacted customers who used Hello Cake’s telehealth prescription services, which are provided in partnership with M&D Integrations Inc. (MDI). The breach was limited to information shared for prescription consultations and fulfillment, and did not affect MDI’s systems or other Hello Cake files.

Hello Cake reported the breach to the California Attorney General and to the Montana Attorney General on Sept. 19, 2025. According to the Montana AG disclosure, 50 residents of the state have been affected.

Hello Cake's response

Upon discovering the misconfigured file access, Hello Cake acted to remove the file from their system and correct the security settings. The company launched an internal review and engaged third-party cybersecurity experts to investigate the scope and impact of the incident. Their investigation confirmed that only one file was affected, no other systems were accessed, and the incident was isolated to the cloud storage platform.

Hello Cake has since implemented additional safeguards to prevent similar incidents in the future. They have offered detailed guidance to affected individuals, including steps for monitoring credit reports, placing fraud alerts, and freezing credit files. The company has established a dedicated incident response phone line at 866-291-1599, available Monday through Friday from 8 a.m. to 5:30 p.m. Central Time, to assist those with questions or concerns.

Given the nature of the breach, where access was possible only via the exact file path and no financial data was involved, the risk of direct financial fraud is reduced. However, because exposed data includes both PII and PHI, affected individuals should remain vigilant for signs of identity theft or fraud. It is advisable to regularly review account statements, monitor credit reports for unauthorized activity, and promptly report any suspicious activity to financial institutions or law enforcement.