Lovense has lastly fastened its account takeover drawback

Lovense is well-known for its number of remote-controlled vibrators. It’s barely much less identified for an enormous safety subject that uncovered consumer emails and allowed accounts to be wholly taken over by a hacker with out even needing a password. Thankfully, each points have been fastened, but it surely didn’t occur with out some drama. 

As the story goes, safety researcher BobDaHacker (with some assist) by accident discovered that you possibly can uncover a consumer’s electronic mail handle fairly simply by muting somebody within the app. From there, they had been in a position to determine that you possibly can do that with any consumer account, successfully exposing each Lovense consumer’s electronic mail with out a lot effort. 

With the e-mail in hand, it was then attainable to generate a legitimate gtoken with out a password, giving a hacker whole entry to an individual’s Lovense account with no password mandatory. The researchers instructed Lovense of the difficulty in late March and had been instructed that fixes had been incoming. 

In June 2025, Lovense instructed the researchers that the repair would take 14 months to implement as a result of it didn’t need to drive legacy customers to improve the app. Partial fixes had been applied over time, solely partially fixing the issues. On July 28, the researchers posted an replace exhibiting that Lovense was nonetheless leaking emails and had uncovered over 11 million consumer accounts. 

“We might have simply harvested emails from any public username listing,” BobDaHacker stated in a weblog publish. “That is particularly unhealthy for cam fashions who share their usernames publicly however clearly don’t need their private emails uncovered.”

It was round then that the information began making its manner round the information cycle. Different researchers started reaching out to point out that the exploit had truly been identified way back to 2022, and Lovense had closed the difficulty with out issuing a repair. After two extra days within the information cycle, the intercourse toy firm lastly rolled out fixes for each exploits on July 30. 

It’s not Lovense’s first roll within the mud. In 2017, the corporate was caught with its proverbial pants down after its app was proven to be recording customers whereas they had been utilizing the app and toy. Lovense fastened that subject as effectively, stating that the audio knowledge was by no means despatched to their servers.