Adult App Linked to Lovense Sex Toys Exposes User Email Addresses: Facts Revealed and Tips on Staying Secure in the Aftermath
Lovense Data Breach: Ongoing Email Leak Raises Privacy Concerns
A security vulnerability in Lovense's systems, discovered by researcher BobDaHacker, has put the personal data of millions of users at risk. The flaw allows attackers to obtain users' plaintext email addresses simply by knowing their public usernames on the platform.
The exploit chain involves multiple insecure APIs and encryption key leakage, making it possible to automate and carry out the process in seconds. BobDaHacker found the vulnerability while using the “Mute” feature in the app.
Lovense reportedly implemented a proxy-based fix on July 3, 2025, but the update did not fully resolve the email leak issue. The exact changes made by the company have not been clearly disclosed, leaving the effectiveness of the mitigation questionable.
This ongoing exposure raises concerns, particularly because Lovense usernames are often publicly accessible on social media and forums. This makes it easy for attackers to correlate usernames with real email addresses, putting users at risk of doxxing and stalking.
Security researcher Krissy discovered the same vulnerability as BobDaHacker in 2023 and was paid $350, but Lovense did not actually fix the flaw until 2025. The same vulnerability was also discovered in 2023 by other researchers.
BobDaHacker claims a decade-long pattern of Lovense prioritizing legacy app support over user security. A faster, one-month fix was considered but rejected due to potential disruption to support for legacy versions.
Lovense treated the 2023 bugs as new discoveries and paid BobDaHacker, Krissy, and others $3,000 collectively. The company is working on a long-term remediation plan, which will take approximately ten months to fully implement.
In the meantime, users are advised to check if their details have been affected using the service HaveIBeenPwned? Additionally, signing up for a password manager can help protect login information. Google's Password Checkup tool can help determine if any saved passwords have been compromised.
[1] BobDaHacker's blog post [2] The Hacker News article [3] TechCrunch article
- The cybersecurity issue at Lovense, as detailed in BobDaHacker's blog post and numerous reports, has underscored the need for improved data-and-cloud-computing practices within technology companies, particularly regarding vulnerabilities in APIs and encryption keys.
- The ongoing Lovense Data Breach, covered extensively in general-news outlets such as The Hacker News and TechCrunch, has brought attention to the crime-and-justice implications of inadequate cybersecurity measures, including the risks of doxxing and stalking due to the public exposure of usernames and personal email addresses.
