There are very few emails you want less than “Hi, we had a security incident,” and “Hi, we had a security incident” from the company you bought a sex toy from is definitely in the top five. Not because anyone should feel shame about buying a vibrator, a sleeve, or whatever else makes life better, but because data leaks turn purchases like these into a sudden spiral of wanting to know how much of your information they got… and if they’re low-key judging you for what you bought.

This week, Japanese sex toy maker Tenga recently notified U.S. customers about a breach tied to a compromised employee email account. According to TechCrunch, the company said an unauthorized party gained access to the professional email account of one employee. That access potentially exposed customer names, email addresses, and historical email correspondence, which could include order details or customer service conversations. It was later reported that a spokesperson said the breach affected approximately 600 people in the U.S., based on a forensic review.

The company’s public statement draws a clear line around what it says wasn’t impacted. Tenga said the information involved was limited to customer email addresses and related correspondence history. It also said that sensitive personal data like Social Security numbers, billing or credit card information, and TENGA/iroha store passwords were not jeopardized.

That doesn’t mean the situation is nothing. Email threads with a sex toy company can include details people would very much prefer not to be part of someone else’s phishing campaign, even if it’s not straightforward financial data in the classic sense. And the compromised account wasn’t only accessed—it was used. Both the reporting and the company’s statement indicate spam/phishing emails were sent from the employee account to contacts, including customers.

Tenga also called out a narrow timeframe for the spam message: February 12, 2026, between 12 a.m. and 1 a.m. PT. The company says there’s no risk to your device or data if you didn’t open the suspicious attachment/link. If you did click, treat it like any other phishing situation and change your email password, run a malware scan, and keep an eye on anything that looks like it’s trying to get you to“verify information or log in somewhere.

Even if you didn’t click, it’s worth being extra skeptical for a while. Adult-product breaches are catnip for scammers because they assume embarrassment will make people act fast and think slow. Any email that tries to rush you, threaten you, or expose you is playing that angle. Don’t reply. Don’t click. Don’t pay. Report it and move on.

After the incident, TechCrunch said the company reset the compromised employee’s credentials and enabled multi-factor authentication across systems, with the spokesperson declining to say whether multi-factor was enabled on that email account before the breach. Tenga also said it proactively contacted those who may have been impacted and is strengthening its security protocols.

If you received a breach notice, the practical next steps are boring, but important. Sure, it’s not a fun to-do list, but it beats finding out the hard way that your “discreet purchase” became someone else’s spam content.