282/68 Tuesday, August 5, 2025
Lovense has urgently released patches to address two critical vulnerabilities after a security researcher known as “BobDaHacker” revealed that the flaws could allow attackers to remotely take over user accounts and expose email addresses-all without needing a password.
The first vulnerability stemmed from the app transmitting user email addresses without encryption, allowing attackers to intercept and match usernames with emails. The second flaw enabled unauthenticated logins-letting attackers access a Lovense account simply by knowing the victim’s email address, bypassing any form of verification.
Although Lovense initially claimed it would take over 14 months to fully resolve the issues, public backlash prompted the company to release fixes in just two days, with patches completed on July 30, 2025. CEO Dan Liu told TechCrunch that all vulnerabilities had been fixed and that there was no evidence of data breaches or misuse. However, the company is reportedly considering legal action against the individual who disclosed the flaws, arguing that the disclosure could lead to public misunderstanding.
Researcher BobDaHacker criticized Lovense’s initial negligence toward security disclosure, suggesting that without public pressure, the company may not have acted promptly-despite the serious privacy implications for users, especially given the sensitive nature of the devices involved.
