Lovense, a prominent manufacturer of remote-controlled vibrators, has addressed a significant security vulnerability that previously allowed unauthorized access to user accounts. This flaw exposed user email addresses and enabled hackers to take over accounts without requiring passwords. Following extensive scrutiny, both the security issues and the concerns surrounding user privacy have now been resolved.
In late March 2025, security researcher BobDaHacker discovered that user email addresses could be easily accessed by muting someone in the Lovense app. This exploit allowed anyone to uncover email addresses associated with any user account, effectively compromising the privacy of all Lovense users with little effort. Once a hacker had a user’s email, they could generate a valid token, granting full access to the account without needing to enter a password.
After being informed of the security breach, Lovense assured researchers that a fix was forthcoming. However, in June 2025, the company communicated that implementing a complete solution would take approximately 14 months due to concerns about forcing legacy users to upgrade the app. In the interim, only partial fixes were rolled out, leaving many vulnerabilities unaddressed.
On July 28, 2025, BobDaHacker published an update revealing that Lovense was still leaking email addresses and had exposed over 11 million user accounts. In a blog post, he stated, “We could have easily harvested emails from any public username list. This is especially bad for cam models who share their usernames publicly but obviously don’t want their personal emails exposed.”
The situation attracted considerable media attention, prompting other security experts to reveal that the exploit had been known since as early as 2022. They claimed that Lovense had previously closed the issue without deploying a proper fix.
Following two days of heightened scrutiny, Lovense finally rolled out fixes for both the email exposure and account takeover vulnerabilities on July 30, 2025.
This incident is not the first time Lovense has faced scrutiny over its security practices. In 2017, the company was criticized when it was revealed that its app was recording audio while users interacted with the app and devices. Lovense subsequently clarified that the audio data was never transmitted to their servers.
With the recent resolution of the security vulnerabilities, Lovense aims to restore user confidence and enhance the overall security of its platform. As the digital landscape continues to evolve, maintaining robust security measures remains crucial for companies managing sensitive user data.
