Too Lost Data Breach Exposes SSNs and Other PII of 3,206 Users

Too Lost, a music and technology company specializing in SaaS solutions for independent music creators, recently experienced a data breach in the United States.

According to the disclosure filed with the Maine Attorney General, the incident was discovered on Feb. 10, 2026, after an unauthorized third party contacted the company at the end of January claiming to have obtained certain information from the Too Lost environment.

A comprehensive investigation, supported by cybersecurity experts and law enforcement, revealed that unauthorized access and data transfer occurred between July 25, 2025, and Sept. 2, 2025, through a Too Lost web application.

The breach exposed personally identifiable information (PII) including Social Security numbers, driver's licenses, names, addresses, email addresses and phone numbers. Passwords were not affected by this incident.

In total, the breach impacted 3,206 individuals in the United States, with 68 affected in Massachusetts and two in Maine.

Too Lost notified affected consumers on Feb. 20, 2026, using written communication. The company also reported the breach to the Massachusetts Office of Consumer Affairs and Business Regulation and the Vermont Attorney General on Feb. 23, 2026.

Too Lost's response

Too Lost is offering all affected individuals 24 months of complimentary credit monitoring and identity protection services through IDX, which includes a $1 million insurance reimbursement policy and fully managed identity theft recovery services.

Affected individuals can enroll in these services using the information provided in their notification letter.

Those impacted are encouraged to remain vigilant by monitoring account statements and free credit reports for any signs of suspicious activity. The company also recommends changing passwords and considering a credit freeze or fraud alert with the major credit bureaus if concerned about potential misuse of their information.