Lovense Security Flaws: Email Leaks and Account Takeovers Addressed

TL;DR

Lovense, a manufacturer of internet-connected sex toys, has addressed critical vulnerabilities that exposed users’ emails and allowed account takeovers. The company’s CEO has hinted at potential legal action following the public disclosure of these flaws.

Lovense Security Flaws: Email Leaks and Account Takeovers Addressed

Lovense, a prominent manufacturer of internet-connected sex toys, has recently addressed two significant security vulnerabilities. These flaws exposed users’ email addresses and allowed remote account takeovers. The issues were brought to light by a researcher known as BobDaHacker, who disclosed the vulnerabilities after the company claimed it would take 14 months to address them.

Initial Response and Mitigation

In response to the researcher’s report, Lovense conducted a thorough investigation and implemented initial mitigation steps. The company stated:

Following your report, we conducted a thorough investigation and rolled out initial mitigation steps, including a temporary fix for the script path issue you identified. However, resolving the root cause involves deeper architectural work. We’ve launched a long-term remediation plan that will take approximately ten months, with at least four more months required to fully implement a complete solution. We also evaluated a faster, one-month fix. However, it would require forcing all users to upgrade immediately, which would disrupt support for legacy versions. We’ve decided against this approach in favor of a more stable and user-friendly solution.

Public Disclosure and Legal Implications

Following the public disclosure of these vulnerabilities, Lovense CEO Dan Liu indicated that the company might take legal action. Liu reassured customers that all identified vulnerabilities had been fully addressed and that there was no evidence of user data being compromised or misused. He stated:

We want to reassure our customers that:

• All identified vulnerabilities have been fully addressed.
• As of today, there is no evidence suggesting that any user data, including email addresses or account information, has been compromised or misused.

Researcher’s Findings

The researcher, BobDaHacker, discovered that Lovense was leaking users’ email addresses via network traffic. By modifying requests, any username could be linked to their corresponding email. Additionally, a second flaw allowed anyone to take over a Lovense account using just the user’s email, bypassing passwords to gain full remote access.

Rapid Resolution

Despite initially stating that it would take 14 months to fix the issues, Lovense resolved both vulnerabilities within two days of the public disclosure. This rapid resolution raised questions about the company’s initial timeline and the effectiveness of their security measures.

BOTH critical vulnerabilities were finally fixed on July 30, 2025 – but only after public pressure forced their hand. The email disclosure they claimed would take 14 months to fix? Fixed in 2 days. The account takeover vulnerability first reported in 2023? Also suddenly fixed after 2 years of lies. This went viral and within 48 hours, they miraculously found solutions to “impossible” problems. See all updates below for the full story of Lovense’s negligence, lies, and how public exposure accomplished what years of responsible disclosure couldn’t.

Conclusion

The rapid resolution of these critical vulnerabilities highlights the importance of public disclosure and pressure in driving companies to address security issues promptly. Lovense’s handling of these flaws underscores the need for robust security measures and transparent communication with users and researchers.

Additional Resources

For further insights, check:

• TechCrunch Article on Lovense Vulnerabilities
• BobDaHacker’s Blog on Lovense Security Flaws
• Security Affairs Article on Lovense

References