[A bit of real-life humor - not political but I couldn't think of a better place to share it. -- Mike]

Lovense adult toy app leaks private user email addresses - what we know, and how to stay safe if you're affected

Date:
Tue, 29 Jul 2025 20:02:00 +0000

Description:
Experts find a way to doxx people using smart sex toy app - and it still
hasn't been fixed.

FULL STORY

Lovense, a sex tech company specializing in smart, remotely controlled adult toys, had a vulnerability in its systems which could allow threat actors to view peoples private email addresses .

All they needed was that persons username and apparently - these things are relatively easy to come by.

Recently, security researchers under the alias BobDaHacker, Eva, Rebane, discovered that if they knew someones username (maybe they saw it on a forum
or during a cam show), they could log into their own Lovense account (which doesnt need to be anything special, a regular user account will suffice), and use a script to turn the username into a fake email (this step uses
encryption and parts of Lovenses system meant for internal use).

That fake email gets added as a friend in the chat system, but when the
system updates the contact list, it accidentally reveals the real email
address behind the username in the background code.

Automating exfiltration

The entire process can be automated and done in less than a second, which
means threat actors could have abused it to grab thousands, if not hundreds
of thousands of email addresses, quickly and efficiently.

The company has roughly 20 million customers worldwide, so the attack surface is rather large.

The bug was discovered together with another, even more dangerous flaw, which allowed for account takeover. While that one was quickly remedied by the company, this one has not yet been fixed. Apparently, the company still needs months of work to plug the leak:

"We've launched a long-term remediation plan that will take approximately ten months, with at least four more months required to fully implement a complete solution," Lovense told the researcher.

"We also evaluated a faster, one-month fix. However, it would require forcing all users to upgrade immediately, which would disrupt support for legacy versions. We've decided against this approach in favor of a more stable and user-friendly solution."

Lovense also said that it deployed a proxy feature as a mitigation but apparently, its not working as intended.

How to stay safe

The attack is particularly concerning as such records could contain more than enough of sensitive information for hackers to launch highly personalized, successful phishing campaigns, leading to identity theft , wire fraud, and
even ransomware attacks.

If you're concerned you may have been caught up in the incident, don't worry
- there are a number of methods to find out. HaveIBeenPwned? is probably the best resource only to check if your details have been affected, offering a run-down of every big cyber incident of the past few years.

And if you save passwords to a Google account, you can use Google's Password Checkup tool to see if any have been compromised, or sign up for one of the best password manager options we've rounded up to make sure your logins are protected.

Via BleepingComputer

======================================================================
Link to news story: https://www.techradar.com/pro/security/lovense-adult-toy-app-leaks-private-use r-email-addresses

$$
--- SBBSecho 3.28-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (618:250/1)

Mike Powell wrote to All <=-

[A bit of real-life humor - not political but I couldn't think of a better place to share it. -- Mike]

This echo is meant for "adult-oriented" posts also. I guess I should
actually say that.

Lovense adult toy app leaks private user email addresses - what we
know, and how to stay safe if you're affected

I just read this article today. That's some damn lousy security and QA
on their part.

There's a joke somewhere in "adult toy leaking" but I'm not really sure
if I want to go there. XD

-- digi <8D~

... A feature is a bug with seniority.
--- MultiMail/Win v0.52
* Origin: Outpost BBS * Johnson City, TN (618:618/1)

Lovense adult toy app leaks private user email addresses - what we
know, and how to stay safe if you're affected

I just read this article today. That's some damn lousy security and QA
on their part.

Yes. That said, from the article, I sort of got the idea that part of the "thrill" of owning one of their products is to allow persons to operate
them from remote, and these persons could be "internet friends" that one
has no real connection to otherwise.

I suspect part of their security issue is up to their users and how free
they are with vetting who "connects" with them.

There's a joke somewhere in "adult toy leaking" but I'm not really sure
if I want to go there. XD

Indeed. ;)


* SLMR 2.1a * SHOCKING TRUTH: 50% of all people are below average....
--- SBBSecho 3.28-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (618:250/1)

Mike Powell wrote to DIGIMAUS <=-

Yes. That said, from the article, I sort of got the idea that part of
the "thrill" of owning one of their products is to allow persons to operate them from remote, and these persons could be "internet friends" that one has no real connection to otherwise.

Yes, that's the jist of it.

I suspect part of their security issue is up to their users and how
free they are with vetting who "connects" with them.

I'm sure that's a big part of it.

Indeed. ;)

Come one, come all?

(I'm sorry I couldn't help it.)

-- digi <8D~

... "I could tell my parents hated me. My bath toys were a toaster and a radio."
--- MultiMail/Win v0.52
* Origin: Outpost BBS * Johnson City, TN (618:618/1)

Re: Re: Lovense adult toy app lea
By: Digimaus to Mike Powell on Thu Jul 31 2025 03:08 pm

There's a joke somewhere in "adult toy leaking" but I'm not really sure
if I want to go there. XD

They used the sex toys to penetrate through your security.


--
gopher://gopher.richardfalken.com/1/richardfalken
--- SBBSecho 3.29-Linux
* Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (618:250/24)

Arelor wrote to Digimaus <=-

They used the sex toys to penetrate through your security.

Then there's this:

===
Lime-Green Dildo Thrown onto Court for the SECOND TIME in a Week at WNBA
Game

"A lime green dildo was thrown onto the court once again, marking
the second time in just a week that a sex toy has disrupted a
professional women's basketball game.

The latest incident took place during the third quarter of a matchup
between the Golden State Valkyries and the Chicago Sky.

The game was abruptly halted after a lime-green sex toy was thrown onto
the court.

A referee quickly nudged the unwelcome projectile to the side before
someone scooped it up using a cloth, as if it were just another day at
the office in the WNBA's new circus act."
===

From: https://tinyurl.com/bdzxx6td (thegatewaypundit.com)

-- digi <8D~

... Capital punishment means never having to say "You again?".
--- MultiMail/Win v0.52
* Origin: Outpost BBS * Johnson City, TN (618:618/1)

They used the sex toys to penetrate through your security.

Then there's this:

===
Lime-Green Dildo Thrown onto Court for the SECOND TIME in a Week at WNBA
Game

I wonder if their is a significance to the color lime-green? Was that the color of one of the team's jerseys?

Makes me think it could be the same person.


* SLMR 2.1a * Keyboard not found. Visualize "F1" to continue.
--- SBBSecho 3.28-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (618:250/1)