Bad vibes only: A zero-day flaw in popular sex toy app Lovense can leak usernames, email addresses, and other, err, intimate details
Data security in this day and age was already a joke. Besides one accurately guessed password putting a 158-year old company out of business, hackers keep finding zero-day flaws in Chrome like it's going out of fashion. Speaking of, the latest data security punchline involves a zero-day flaw in Lovense, an app designed to remotely control a number of different sex toys—and before you ask, yes, my family is always telling me how proud they are of what I do for a living.
Simply by knowing someone's Lovense username, hackers can reportedly leverage the zero-day flaw to get at users' email addresses and potentially more private information too (via Bleeping Computer). Worse still, it turns out that simply by knowing a user's email address, hackers can then also hijack their Lovense account.
The vulnerability was believed to have been first reported to the company back in March, with security researcher BobDaHacker sharing a public blog post in June that breaks down the technical ins and outs of the vulnerability. In Bob's own words, "It all started when I was using the Lovense app and muted someone. That's it. Just muted them. But then I saw the API response and was like... wait, is that an email address? Why is that there?"
While it's 'haha very funny' that not even your sex toy with app integration is safe from data breaches, it remains hilarious only up until a sufficiently motivated bad actor follows the breadcrumb trail of user details in the Lovense app to somewhere that hits uncomfortably close to home. As amusing as the thought of a rogue vibrator is, these two vulnerabilities present serious doxing concerns for both regular users and cam performers alike. Unfortunately, this story gets worse.
By Bob's own admission, it turns out Lovense has been aware of the account takeover issue since at least 2023, when it was first flagged by software engineer Krissy. Lovense has repeatedly claimed to have fixed the issue since then. However, testing by Bob and fellow security researchers Eva and Rebane discovered these fixes left much to be desired as potentially account exposing gtokens could still be generated as of July 28, 2025.
So, why is the platform dragging their feet over such a major security flaw? Lovense apparently told Bob over email that "resolving the root cause involves deeper architectural work" that "would disrupt support for legacy versions." To recap, this is regarding a security flaw the company has been aware of in some form for nearly two years already.
Bob advises Lovense users to either only use throwaway email addresses, or to otherwise have a long hard "think about if you trust a company that takes 4+ months to half-fix critical bugs."