Japanese adult products manufacturer Tenga has disclosed a security incident involving the compromise of a corporate email account, potentially exposing sensitive customer information and correspondence. The case illustrates how a seemingly routine business email compromise can become particularly damaging when it affects buyers of intimate goods.
Tenga email account compromised: what is known about the incident
According to a notification obtained by TechCrunch, an attacker gained unauthorized access to a Tenga employee’s work email account. Once inside, the intruder could read all messages stored in the mailbox, including customer support requests and business correspondence with partners.
The company reports that exposed information may include customer names, email addresses and the content of historical email threads. These messages can contain order details, delivery questions and support conversations, giving an attacker a detailed view of individual purchasing histories and issues raised with the brand.
The compromised mailbox was also used to send spam and unsolicited messages to contacts in the address book, including Tenga customers. This significantly raises the risk of targeted phishing campaigns that appear to come from a legitimate corporate address and reference genuine prior communications.
Potential impact: which Tenga customers may be affected
The notification was sent under the banner of Tenga Store USA, indicating that at least U.S. customers are impacted. It remains unclear whether the breach is limited to the American customer base or also covers users from other regions who interacted with the same email channel.
Tenga has not provided further technical or geographic details to the press. This is common in commercial incidents, where companies must balance regulatory notification obligations with efforts to control reputational damage and avoid disclosing information that might aid further attacks.
Company response: MFA rollout and account security
After detecting the intrusion, Tenga security staff reset the username and password for the affected account and stated that they have enabled multi-factor authentication (MFA) across all systems. MFA requires an additional verification step beyond a password, such as a one-time code, hardware token or biometric check.
The company did not clarify whether MFA was already enabled on the hacked mailbox. If it was not, the attacker could have gained access using stolen credentials, password reuse, brute-force attacks or successful phishing against the employee. Industry reports such as Verizon’s Data Breach Investigations Report consistently show that compromised credentials and phishing are among the leading causes of business email breaches.
Tenga advised customers to change passwords on their accounts and remain cautious about suspicious emails, even though the firm states that customer login passwords were not directly exposed. Nonetheless, the combination of name, email and detailed correspondence is sufficient to stage convincing social engineering attacks.
Why data breaches are especially sensitive for adult products customers
In this case, the exposed data involves highly sensitive purchasing behavior. For many users, simply revealing that they have bought adult products, let alone the specific items or related support issues, can cause personal embarrassment or reputational harm.
Even “basic” identifiers such as name, email address and message history become sensitive in this context. Criminals can exploit this information for blackmail, extortion and tailored phishing, referencing real order details to increase credibility and pressure victims into paying or disclosing further data.
Sex tech and IoT security: Tenga is not an isolated case
The Tenga incident follows a series of cybersecurity and privacy problems in the broader “sex tech” and connected device market. For example, the platform of another major brand, Lovense, was previously found to contain a vulnerability that allowed attackers to obtain a user’s real email address by knowing only their public username, enabling large-scale deanonymization.
Earlier, in 2017, users discovered that a Lovense mobile application recorded audio tracks during device use and stored them locally on smartphones or tablets. While the vendor stated these files were not uploaded to servers and were linked to vibration features, the lack of transparency raised serious questions about data minimization and privacy by design.
Core cybersecurity lessons for e‑commerce and IoT vendors
The Tenga email hack reinforces several non-negotiable best practices for organizations handling sensitive customer data:
1. Enforce MFA on all email and cloud accounts. Business email remains a primary entry point for attackers. Protecting it with MFA drastically reduces the risk of account takeover via stolen or reused passwords.
2. Apply strict data minimization. Customer communications should avoid storing unnecessary sensitive details, such as full payment information or explicit personal preferences, unless absolutely required for operations or legal compliance.
3. Train staff against phishing and social engineering. Even well-secured systems are vulnerable if employees are tricked into entering credentials on fake login pages or opening malicious attachments.
4. Limit access and segregate systems. Employees should only access data strictly needed for their role. This least privilege approach reduces the blast radius if an individual account is compromised.
Practical security tips for users of adult products and services
Consumers can significantly improve their privacy and resilience against such incidents by following basic digital hygiene practices:
Use a dedicated email address for adult purchases and related online services, separate from primary work or personal accounts.
Create unique, complex passwords for every site and store them in a reputable password manager rather than in browsers, notes or email drafts.
Enable multi-factor authentication wherever available, prioritizing email accounts and major online stores or platforms.
Be skeptical of unexpected messages requesting password resets, urgent payments or card details—even if they appear to come from a known brand and reference real orders. When in doubt, navigate directly to the official website instead of clicking links in the email.
The Tenga incident demonstrates that even a “simple” email compromise can become highly damaging when it involves intimate products and services. Vendors in the adult and IoT sectors need to embed strong privacy and security controls into their architectures from the outset, while users should treat the protection of their digital intimacy with the same seriousness as their financial data—by adopting MFA, strong passwords and cautious behavior online.
