Lovense flaws expose emails and allow account takeover
August 04, 2025
Lovense fixed bugs exposing emails and allowing account takeovers. Company CEO may take legal action after the flaws were publicly disclosed.
Lovense, a manufacturer of internet-connected sex toys, fixed two vulnerabilities that exposed users’ emails and allowed remote account takeovers.
A researcher known as BobDaHacker recently disclosed the flaws after Lovense claimed it would take 14 months to address them.
“Following your report, we conducted a thorough investigation and rolled out initial mitigation steps, including a temporary fix for the script path issue you identified. However, resolving the root cause involves deeper architectural work. We’ve launched a long-term remediation plan that will take approximately ten months, with at least four more months required to fully implement a complete solution. We also evaluated a faster, one-month fix.” the company told the researcher. “However, it would require forcing all users to upgrade immediately, which would disrupt support for legacy versions. We’ve decided against this approach in favor of a more stable and user-friendly solution.“
Lovesense CEO Dan Liu told TechCrunch they may take legal action after the flaws were publicly disclosed.
“We want to reassure our customers that: • All identified vulnerabilities have been fully addressed. • As of today, there is no evidence suggesting that any user data, including email addresses or account information, has been compromised or misused.” said Liu. “In response to the numerous erroneous reports online, our legal team is investigating the possibility of legal action.”
Researcher BobDaHacker found that Lovense leaked users’ email addresses via network traffic. He discovered that by modifying requests, any username could be linked to their email. The researcher found a second flaw that let anyone take over a Lovense account using just the user’s email, bypassing passwords to gain full remote access.
The two vulnerabilities were fixed on July 30, just two days after the researcher disclosed them, despite the company initially telling him it would take 14 months. The researcher questions how a 14-month estimate was possible if the issues were resolved in just two days.
“BOTH critical vulnerabilities were finally fixed on July 30, 2025 – but only after public pressure forced their hand. The email disclosure they claimed would take 14 months to fix? Fixed in 2 days. The account takeover vulnerability first reported in 2023? Also suddenly fixed after 2 years of lies. This went viral and within 48 hours, they miraculously found solutions to “impossible” problems. See all updates below for the full story of Lovense’s negligence, lies, and how public exposure accomplished what years of responsible disclosure couldn’t.“
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Lovense)
