Lovense App Leak Exposes User Emails – What You Need to Know and Stay Safe

Security Flaw Exposes Email Addresses of Lovense Users

A recent security vulnerability in Lovense, a company known for its smart, remotely controlled adult toys, has raised serious concerns about user privacy. Researchers have discovered a method that allows threat actors to extract email addresses from Lovense user accounts, potentially exposing sensitive personal information.

The flaw was uncovered by a group of security researchers under the aliases BobDaHacker, Eva, and Rebane. According to their findings, if an attacker knows a user’s username—often easily obtained from forums or live cam shows—they can exploit a weakness in Lovense’s system to reveal the associated email address.

How the Exploit Works

The process involves creating a fake email address using encryption techniques and internal components of Lovense’s system. This fake email is then added as a “friend” in the chat system. When the contact list updates, the system inadvertently exposes the real email address linked to the username in the background code.

This entire operation can be automated and completed in under a second, making it highly efficient for malicious actors to collect large volumes of email addresses quickly.

Lovense has approximately 20 million customers worldwide, which means the potential impact of this vulnerability is significant. The company also revealed that this issue was discovered alongside another more severe flaw that allowed account takeovers. While that vulnerability was quickly addressed, the current one remains unresolved.

Lovense's Response and Ongoing Issues

Lovense acknowledged the problem and stated that a long-term remediation plan is in place. The company claims it will take roughly ten months to fully resolve the issue, with at least four months needed to implement a complete solution. A faster fix, which would require all users to upgrade immediately, was considered but ultimately rejected due to concerns about disrupting support for older versions of the app.

In addition, Lovense deployed a proxy feature as a temporary mitigation, but according to researchers, it is not functioning as intended.

BobDaHacker, one of the researchers involved, pointed out that this is not just a one-time oversight. He claims there is a pattern of "lies to researchers about fixing critical vulnerabilities," prioritizing legacy app support over user security, and inconsistent payments to security researchers.

He also mentioned that a similar vulnerability was previously reported by another researcher named Krissy in 2023. Despite being paid $350 for her findings, the issue was never truly fixed. BobDaHacker and his team later rediscovered the same bug through a different method, only to find that Lovense treated their report as a new discovery and offered them $3,000.

Risks and Recommendations for Users

The exposure of email addresses poses a serious risk. Hackers could use these details to launch highly targeted phishing campaigns, leading to identity theft, wire fraud, and even ransomware attacks.

If you are concerned that your information may have been compromised, there are several steps you can take:

• HaveIBeenPwned? – This resource allows you to check if your details have been part of any major data breaches.
• Google Password Checkup Tool – If you save passwords in a Google account, this tool can help identify if any of your credentials have been exposed.
• Password Managers – Using a reliable password manager can help protect your login information and reduce the risk of unauthorized access.

Additional Resources

For more information on protecting your identity and staying secure online, consider the following:

• 5 Easy Tips to Avoid Identity Theft and Fraud
• Best Authenticator Apps Guide
• Top Password Managers

Stay informed and take proactive steps to safeguard your digital presence.