Quitbro Breach: 23K Accounts — Email Addresses Exposed

Overview

In February 2026, the porn addiction recovery app Quitbro suffered a data breach that exposed 22,874 user accounts. The incident, first flagged by Have I Been Pwned, leaked email addresses alongside sensitive personal details, including users’ years of birth, therapy questionnaire responses, and last recorded relapse timestamps. Quitbro’s developer, Plantake, did not respond to multiple notifications about the breach, leaving users in the dark about the exposure.

While the raw count of 23,000 accounts is modest compared to mega-breaches, the nature of this app makes the leak uniquely damaging. Users of recovery tools like Quitbro often share deeply personal struggles with addiction - data that, if tied to their identity, could lead to social stigma, professional consequences, or exploitation by malicious actors.

What Was Exposed

The leaked database contained a mix of identifiable and behavioral data:

• Email addresses: Directly tied to user accounts and used for login.
• Years of birth: Useful for age verification but also for identity correlation.
• Therapy questionnaire responses: Detailed answers about addiction triggers, relapse cycles, and recovery progress.
• Last recorded relapse timestamps: Chronological records of when users reported lapses.

The combination of email addresses and addiction recovery data is the real danger here. A bad actor could cross-reference these records with public social media profiles to identify users, then use the breach data for targeted harassment, blackmail, or doxxing.

How the Breach Happened

While Plantake has not issued a public statement, the breach appears to have originated from a misconfigured or compromised database. The data was posted on a publicly accessible forum. No ransomware group claimed responsibility, and no CVE has been assigned - this appears to be a classic case of poor data hygiene rather than a sophisticated attack.

The app’s lack of response to notification emails suggests weak incident response protocols. For a company handling sensitive health-adjacent data, this silence is alarming.

Identity Stigma Risks

Unlike a credit card breach where the financial risk is clear, Quitbro’s leak carries a different kind of danger: social and psychological harm.

Here’s what you should watch for:

• Doxxing and public shaming: An email address plus addiction recovery data is a weapon in the wrong hands. Threat actors could post this data on forums or contact employers.
• Targeted phishing: Emails referencing “your last relapse on [date]” could be used in highly convincing scam attempts.
• Reputational damage: If the data is leaked on data markets, it becomes searchable forever. This could affect job searches, relationships, or insurance eligibility.

The severity is LOW, but the emotional impact can be HIGH. This is a breach of trust, not just a technical incident.

How to Check If You’re Affected

The breach was reported to Have I Been Pwned. Here’s how to verify:

1. Visit haveibeenpwned.com
2. Enter the email address you used with Quitbro or any other addiction-focused apps.
3. If your data appears, the service will show the breach name (Quitbro) and the types of data exposed.

There is no self-service lookup tool from Plantake - they have not set up a verification portal. HIBP is your best option.

What to Do Right Now

Even though the exposed data does not include passwords, the email address alone is enough for targeted phishing:

• Enable multifactor authentication on the email account associated with Quitbro. Attackers may try credential stuffing if you reuse passwords elsewhere.
• Be skeptical of recovery-themed phishing. If you receive an email claiming to be from Quitbro or a related service asking you to verify your relapse data, do not click the link. Forward it to [email protected] or the FTC.
• Consider a data removal service. If you are concerned about your email being searchable on public breach databases, services like DeleteMe or Incogni can help scrub your data from data broker sites.
• Stop using Quitbro immediately. Unless Plantake issues a transparent incident report and patches the vulnerability, there is no guarantee your new data will be safe.

Security Insight

This breach highlights a recurring blind spot in health-tech startups: the assumption that “low sensitivity” data like email addresses is harmless. For recovery apps, even an email address tied to the service name is sensitive - it outs the user’s personal struggles. Plantake’s silence compounds the damage. In the addiction recovery space, where trust is the product, a company that fails to protect that trust has no business operating. The lesson for other developers in this vertical is clear: encrypt everything, not just the fields you think matter.

Further Reading

• All Low Breaches
• Recent Data Breaches