A Lovense security flaw may be letting people take over accounts without a password

Sex toy company Lovense is leaking the email addresses of its app users and allowing account takeovers without asking for a password, according to a security researcher. As reported by TechCrunch, BobDaHacker, who describes themself as an ethical hacker committed to exposing and reporting security vulnerabilities, published an extensive report in which they accuse Lovense of failing to fix a serious bug it was first made aware of in 2023.

According to the hacker (and later verified by TechCrunch), Lovense allows any username to be turned into their email address with the right know-how, a flaw they initially discovered after muting someone on the app. With their access to Lovense's API, they were able to obtain the emails associated with any public username in less than a second when running the modified request process through an automated script. They noted that the vulnerable nature of these accounts is "especially bad for cam models" who use the Lovense platform for work, and may share their usernames for these purposes.

The researcher also realized that with a user's email address (either one you already know or one obtained using the aforementioned disclosure bug), they could generate auth tokens that allowed them to take over the associated account without a password. This allegedly worked for the Lovense Chrome Extension and Lovense Connect app, as well as the company's Cam101 and StreamMaster software — and even admin accounts.

BobDaHacker said they initially reported the bugs to Lovense with assistance from the sex tech hacking project The Internet Of Dongs in March 2025, and received $3,000 in total for flagging them via the HackerOne security platform. After a series of interactions with Lovense representatives, they were told in early June that the account takeover bug had been fixed during the previous month, which the researcher claims is not true. Regarding the email disclosure flaw, Lovense said in a statement printed by BobDaHacker that it could take up to 14 months to fix the issue, as a faster one-month fix would "require forcing all users to upgrade immediately," which it said would "disrupt support for legacy versions."

The researcher went on to say that they were contacted by a Twitter user who claimed to have found the same account takeover bug as far back as 2023, and were told shortly after reporting it to Lovense that the bug had been resolved, which wasn't the case. They said a patch eventually fixed their method, which used an HTTP endpoint to convert a username into an email address, but that it wasn't rolled out until early 2025. BobDaHacker said they had requested comment from Lovense but at the time of writing had not received one.

This isn't the first time Lovense users have stumbled upon privacy concern bugs. In 2017, a Redditor discovered that the Lovense app, which allows users to control their sex toys remotely, was recording audio without their consent and saving it to their phone. A commenter on the Reddit post, who claimed to be a Lovense representative, called the recordings a "minor software bug" that affected the Android version of the app and said at the time that it had been fixed in an update.

Updated 7/30/25 7:51 AM ET: In a statement to BleepingComputer, Lovense said that a fix is rolling out in the app stores: "The full update is expected to be pushed to all users within the next week. Once all users have updated to the new version and we disable older versions, this issue will be completely resolved."

The company's spokesperson stated that the exposed email addresses flaw was fixed at the end of June, although BobDaHacker says this issue still remains.

Updated 8/1/25 8:09 AM ET: Dan Liu, the company's CEO, sent a lengthy statement to Engadget claiming the "email address exposure vulnerability has been fully resolved," and the account takeover vector is "fixed." He says both issues were discovered under "controlled conditions" as part of a bug bounty program and that there's "no evidence user data, including email addresses or account information, has been compromised or misused."