Sex toy maker Lovense caught leaking users email addresses and exposing accounts to takeovers TechCrunch
p
Latest
pp
AI
pp
Amazon
pp
Apps
pp
Biotech Health
pp
Climate
pp
Cloud Computing
pp
Commerce
pp
Crypto
pp
Enterprise
pp
EVs
pp
Fintech
pp
Fundraising
pp
Gadgets
pp
Gaming
pp
Google
pp
Government Policy
pp
Hardware
pp
Instagram
pp
Layoffs
pp
Media Entertainment
pp
Meta
pp
Microsoft
pp
Privacy
pp
Robotics
pp
Security
pp
Social
pp
Space
pp
Startups
pp
TikTok
pp
Transportation
pp
Venture
pp
Staff
pp
Events
pp
Startup Battlefield
pp
StrictlyVC
pp
Newsletters
pp
Podcasts
pp
Videos
pp
Partner Content
pp
TechCrunch Brand Studio
pp
Crunchboard
pp
Contact Us
ppA security researcher says sex toy maker Lovense has failed to fully fix two security flaws that expose the private email addresses of its users and allow the takeover of any users accountppThe researcher who goes by the handle BobDaHacker published details of the bugs on Monday after Lovense claimed it would need 14 months to fix the flaws so as to not inconvenience users of some of its legacy productsppLovense is one of the largest makers of internetconnected sex toys and is said to have more than 20 million users The company made headlines in 2023 for becoming one of the first sex toy makers to integrate ChatGPT into its products ppBut the inherent security risks in connecting sex toys to the internet can put users at risk of realworld harm if something goes wrong including device lockins and data privacy leaksppBobDaHacker said they discovered that Lovense was leaking peoples email addresses while using the app Although other users email addresses were not visible to users in the app anyone using a network analysis tool to inspect the data flowing in and out of the app would see the other users email address when interacting with them such as muting them ppBy modifying the network request from a loggedin account BobDaHacker said they could associate any Lovense username with their registered email address potentially exposing any customer who has signed up to Lovense with an identifiable email addressppThis was especially bad for cam models who share their usernames publicly but obviously dont want their personal emails exposed BobDaHacker wrote in their blog postppTechCrunch verified this bug by creating a new account on Lovense and asking BobDaHacker to reveal our registered email address which they did in about a minute By automating the process with a computer script the researcher said they could obtain a users email address in less than a secondppBobDaHacker said a second vulnerability allowed them to take over any Lovense users account using just their email address which could be derived from the earlier bug This bug lets anyone create authentication tokens for accessing a Lovense account without needing a password allowing an attacker to remotely control the account as if they were the real user ppCam models use these tools for work so this was a huge deal Literally anyone could take over any account just by knowing the email address said BobDaHacker ppThe bugs affect anyone with a Lovense account or deviceppBobDaHacker disclosed the bugs to Lovense on March 26 via the Internet of Dongs a project that aims to improve the security and privacy of sex toys and helps report and disclose flaws to device makers ppAccording to BobDaHacker they were awarded a total of 3000 via bug bounty site HackerOne But after several weeks of backandforth disputing whether the bugs were actually fixed the researcher went public this week after Lovense requested 14 months to fix the flaws Security researchers typically grant vendors three months or less to fix a security bug before going public with their findings The company told BobDaHacker in the same email that it decided against a faster onemonth fix which would have required forcing customers using older products to upgrade their apps immediatelyppThe researcher notified the company ahead of disclosure per an email seen by TechCrunch BobDaHacker said in a blog post update on Tuesday that the bug may have been identified by another researcher as far back as September 2023 but the bug was allegedly closed without a fix ppLovense did not respond to an email from TechCrunch sent prior to publication After we published a Lovense representative said the account takeover bug has now been fully addressed and that the email disclosure bug will be patched in an update expected to be pushed to all users within the next week The representative would not commit to publicly notifying its customers about the bugsppUpdated with comment from LovenseppTopicspp
Security Editor
ppZack Whittaker is the security editor at TechCrunch He also authors the weekly cybersecurity newsletter this week in security ppHe can be reached via encrypted message at zackwhittaker1337 on Signal You can also contact him by email or to verify outreach at zackwhittakertechcrunchcom ppFounders Your next big connection and investor are hereInvestors Meet startups that align with your investment goalsInnovators Visionaries See the future of tech before everyone elseRegister now and save up to 444 or up to 30 on groupspp Zendesk says its new AI agent can solve 80 of support issues
pp The reinforcement gap or why some AI skills improve faster than others
pp Sequoiabacked Knowde raises Series C at a valuation cut
pp Bending Spoons acquires file transfer service WeTransfer
pp Moxxie Ventures led by exTwitter media head raises 95M third fund
pp Canva acquires Leonardoai to boost its generative AI efforts
pp Applied Intuition closes 300M secondary four months after raising 250M
pp 2025 TechCrunch Media LLCp
Latest
pp
AI
pp
Amazon
pp
Apps
pp
Biotech Health
pp
Climate
pp
Cloud Computing
pp
Commerce
pp
Crypto
pp
Enterprise
pp
EVs
pp
Fintech
pp
Fundraising
pp
Gadgets
pp
Gaming
pp
pp
Government Policy
pp
Hardware
pp
pp
Layoffs
pp
Media Entertainment
pp
Meta
pp
Microsoft
pp
Privacy
pp
Robotics
pp
Security
pp
Social
pp
Space
pp
Startups
pp
TikTok
pp
Transportation
pp
Venture
pp
Staff
pp
Events
pp
Startup Battlefield
pp
StrictlyVC
pp
Newsletters
pp
Podcasts
pp
Videos
pp
Partner Content
pp
TechCrunch Brand Studio
pp
Crunchboard
pp
Contact Us
ppA security researcher says sex toy maker Lovense has failed to fully fix two security flaws that expose the private email addresses of its users and allow the takeover of any users accountppThe researcher who goes by the handle BobDaHacker published details of the bugs on Monday after Lovense claimed it would need 14 months to fix the flaws so as to not inconvenience users of some of its legacy productsppLovense is one of the largest makers of internetconnected sex toys and is said to have more than 20 million users The company made headlines in 2023 for becoming one of the first sex toy makers to integrate ChatGPT into its products ppBut the inherent security risks in connecting sex toys to the internet can put users at risk of realworld harm if something goes wrong including device lockins and data privacy leaksppBobDaHacker said they discovered that Lovense was leaking peoples email addresses while using the app Although other users email addresses were not visible to users in the app anyone using a network analysis tool to inspect the data flowing in and out of the app would see the other users email address when interacting with them such as muting them ppBy modifying the network request from a loggedin account BobDaHacker said they could associate any Lovense username with their registered email address potentially exposing any customer who has signed up to Lovense with an identifiable email addressppThis was especially bad for cam models who share their usernames publicly but obviously dont want their personal emails exposed BobDaHacker wrote in their blog postppTechCrunch verified this bug by creating a new account on Lovense and asking BobDaHacker to reveal our registered email address which they did in about a minute By automating the process with a computer script the researcher said they could obtain a users email address in less than a secondppBobDaHacker said a second vulnerability allowed them to take over any Lovense users account using just their email address which could be derived from the earlier bug This bug lets anyone create authentication tokens for accessing a Lovense account without needing a password allowing an attacker to remotely control the account as if they were the real user ppCam models use these tools for work so this was a huge deal Literally anyone could take over any account just by knowing the email address said BobDaHacker ppThe bugs affect anyone with a Lovense account or deviceppBobDaHacker disclosed the bugs to Lovense on March 26 via the Internet of Dongs a project that aims to improve the security and privacy of sex toys and helps report and disclose flaws to device makers ppAccording to BobDaHacker they were awarded a total of 3000 via bug bounty site HackerOne But after several weeks of backandforth disputing whether the bugs were actually fixed the researcher went public this week after Lovense requested 14 months to fix the flaws Security researchers typically grant vendors three months or less to fix a security bug before going public with their findings The company told BobDaHacker in the same email that it decided against a faster onemonth fix which would have required forcing customers using older products to upgrade their apps immediatelyppThe researcher notified the company ahead of disclosure per an email seen by TechCrunch BobDaHacker said in a blog post update on Tuesday that the bug may have been identified by another researcher as far back as September 2023 but the bug was allegedly closed without a fix ppLovense did not respond to an email from TechCrunch sent prior to publication After we published a Lovense representative said the account takeover bug has now been fully addressed and that the email disclosure bug will be patched in an update expected to be pushed to all users within the next week The representative would not commit to publicly notifying its customers about the bugsppUpdated with comment from LovenseppTopicspp
Security Editor
ppZack Whittaker is the security editor at TechCrunch He also authors the weekly cybersecurity newsletter this week in security ppHe can be reached via encrypted message at zackwhittaker1337 on Signal You can also contact him by email or to verify outreach at zackwhittakertechcrunchcom ppFounders Your next big connection and investor are hereInvestors Meet startups that align with your investment goalsInnovators Visionaries See the future of tech before everyone elseRegister now and save up to 444 or up to 30 on groupspp Zendesk says its new AI agent can solve 80 of support issues
pp The reinforcement gap or why some AI skills improve faster than others
pp Sequoiabacked Knowde raises Series C at a valuation cut
pp Bending Spoons acquires file transfer service WeTransfer
pp Moxxie Ventures led by exTwitter media head raises 95M third fund
pp Canva acquires Leonardoai to boost its generative AI efforts
pp Applied Intuition closes 300M secondary four months after raising 250M
pp 2025 TechCrunch Media LLCp
