RIEM News LogoRIEM News

Sex toy maker Lovense caught leaking users’ email addresses and exposing accounts to takeovers

Sex toy maker Lovense caught leaking users’ email addresses and exposing accounts to takeovers
Source: techcrunch
Author: Zack Whittaker
Published: 7/29/2025

To read the full content, please visit the original article.

Read original article
Security researcher BobDaHacker revealed that sex toy maker Lovense has not fully resolved two critical security vulnerabilities that expose users’ private email addresses and allow account takeovers. Lovense, which has over 20 million users and is known for integrating ChatGPT into its products, was found leaking users’ email addresses through its app’s network traffic. By intercepting and modifying network requests, an attacker could link any Lovense username to its registered email address, posing significant privacy risks—especially for cam models who publicly share usernames but want to keep their emails private. TechCrunch verified this vulnerability, and BobDaHacker demonstrated that automating the process could reveal emails in under a second. The second flaw is even more severe, enabling attackers to take over any Lovense account using just the exposed email address. This vulnerability allows creation of authentication tokens without passwords, granting full remote control of the account. Given that many users rely on Lovense devices for work, such as cam models, this flaw represents a

Tags

IoTcybersecurityinternet-connected-devicesdata-privacyvulnerabilityaccount-takeoverbug-bounty