Lovense Flaws Expose Emails and Allow Account Takeover
Internet-connected sex toy manufacturer Lovense has fixed two vulnerabilities that exposed users' emails and allowed remote account takeovers. The company's quick response to the issues, which were previously estimated to take 14 months to address, has raised questions about its initial claims and potential motivations.
A Flaw in the System
Researcher BobDaHacker recently disclosed the flaws, which allowed anyone to link a username to an email address via network traffic. The researcher also found a second vulnerability that enabled users to take over Lovense accounts using just their email address, bypassing passwords for full remote access.
The Initially Estimated Timeline
Lovense initially claimed it would take 14 months to address the issues, which sparked concerns among experts and researchers. However, after public pressure was applied, the company fixed both vulnerabilities on July 30, just two days after they were publicly disclosed.
A Message from Lovense CEO Dan Liu
Dan Liu, Lovense's CEO, told TechCrunch that the company has taken steps to address the issues and reassure its customers. "We want to assure our customers that: • All identified vulnerabilities have been fully addressed. • As of today, there is no evidence suggesting that any user data, including email addresses or account information, has been compromised or misused."
A Warning from BobDaHacker
BobDaHacker warned about the potential consequences of Lovense's initial claims and the rapid response to the issues. "BOTH critical vulnerabilities were finally fixed on July 30, 2025 – but only after public pressure forced their hand. The email disclosure they claimed would take 14 months to fix? Fixed in 2 days. The account takeover vulnerability first reported in 2023? Also suddenly fixed after 2 years of lies."
A Look into Lovense's Response
The researcher questions how a 14-month estimate was possible if the issues were resolved in just two days. This has raised concerns about the company's accountability and transparency.
As researchers and experts continue to scrutinize Lovense's response, it remains to be seen whether the company will face legal action for its initial claims and perceived negligence. The incident serves as a reminder of the importance of responsible disclosure and prompt action when vulnerabilities are discovered.