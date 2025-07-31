A security researcher has claimed that serious flaws in the Lovense app exposed users’ email addresses and allowed full account takeovers for months, potentially exposing their purchase history. A security flaw in a sex toy app exposed users' email addresses (Representational image)

Lovense, a popular maker of internet-connected sex toys with over 20 million users, was first alerted to the vulnerabilities in March. But according to the researcher, who goes by the handle BobDaHacker, the company delayed addressing the issues. One of them has still not been fully fixed.

Emails exposed through app interactions

The researcher discovered that while using the Lovense app, it was possible to see other users’ email addresses through a network analysis tool. He discovered this vulnerability when he muted his ex-partner’s account and it exposed their email.

“Just muting someone exposed their email… After digging deeper, I figured out how to turn any username into their email address,” the security researcher wrote in a blog post. “This was especially bad for cam models who share their usernames publicly but obviously don’t want their personal emails exposed.”

A TechCrunch report confirmed the vulnerability by creating a new account and asking the researcher to find the registered email, which they did in under a minute. According to BobDaHacker, a script could reportedly automate this process in less than a second — potentially exposing millions of users and their purchasing activity.

Account takeover possible with just an email

A second vulnerability discovered by the researcher allowed anyone to take over a Lovense user’s account using just their email address. The flaw involved the ability to generate valid authentication tokens without needing the user’s password.

“Cam models use these tools for work, so this was a huge deal. Literally anyone could take over any account just by knowing the email address,” BobDaHacker said.

Lovense says it’s fixing the bugs… eventually

Lovense was informed of the issues on March 26, via the Internet of Dongs — a project that helps report security flaws in sex tech. The company paid the researcher $3,000 through HackerOne as part of a bug bounty.

However, after months of discussions, Lovense reportedly said it would need 14 months to roll out a fix for the email disclosure issue in order to avoid disrupting users with legacy devices.

“We also evaluated a faster, one-month fix. However, it would require forcing all users to upgrade immediately, which would disrupt support for legacy versions,” Lovense told the researcher, according to the blog post.

In a recent statement to Bleeping Computer, Lovense said an app update “addressing the latest vulnerabilities” has been submitted to app stores. “The full update is expected to be pushed to all users within the next week,” the company said.