An internet security researcher has exposed flaws in Lovense’s user security, that allegedly allowed users’ private email addresses to be gleamed from their usernames, and for users’ accounts to be fully taken over.
The findings were made public by the researcher BobDaHacker, who logged them extensively on a blog. They reported that as of Monday July 28, 2025 there were 11,367,391 registered Lovense accounts.
Lovense has since said that the company has submitted an update to app stores “addressing the latest vulnerabilities”, and that the update is expected to be pushed to users by next Tuesday.
BobDaHacker, a self-described “ethical hacker”, reported that a network analysis tool could be used to discover Lovense users’ email addresses, by studying the data flowing through Lovense’s app when doing an interaction such as blocking a user or sending them a friend request.
They also reported that once a Lovense user’s email had been gleamed, authentication tokens for the Lovense account associated with the email address could be generated, allowing for the account to be taken over.
“Cam models use these tools for work, so this was a huge deal,” said BobDaHacker. “Literally anyone could take over any account just by knowing the email address.”
Many live cam models advertise their Lovense username on public forums and platforms, to help generate more fans, meaning that they could be particularly vulnerable to email leaks and account takeovers.
After BobDaHacker went public with the findings, other security researchers said that they had reported the account takeover bug as far back as 2023.
BobDaHacker said that after they reported the flaws to Lovense in March, the company said it would take up to 14 months for them to be fully fixed. The company reportedly also said that a one-month fix could have been implemented, but it would require users to make digital upgrades and would disrupt support for “legacy” products, so Lovense decided against the quicker fix.
Writing about the email leak issue, BobDaHacker said: “The whole process took maybe 30 seconds per username manually, with the script we made though to automate it, it took less than one second for a username to be converted to an email.”
They added: “We could have easily harvested emails from any public username list. This is especially bad for cam models who share their usernames publicly but obviously don’t want their personal emails exposed.”
BobDaHacker reportedly had back-and-forth communication with Lovense about resolving the security flaws, with the researcher claiming that the company falsely said that fixes had been made. On Monday the researcher said that Lovense’s security was “still broken”, and that user emails could still be leaked.
Publicly addressing Lovense, BobDaHacker (whose avatar is pictured below) said: “Your users deserve better. Stop putting old app support over security. Actually fix things. And test your fixes before saying they work.”
On Tuesday Lovense told BleepingComputer that a fix was being implemented through a new update to the app. The company said that “the update addressing the latest vulnerabilities” had been submitted to app stores.
Lovense added that “the full update is expected to be pushed to all users within the next week. Once all users have updated to the new version and we disable older versions, this issue will be completely resolved.”
So, yet another reminder to keep your apps up-to-date, folks.
Leave a Reply