Lovense Addresses Account Takeover Problem


Lovense is famous for its collection of vibrators that can be controlled remotely. Nonetheless, it encountered a major security flaw that compromised user emails, enabling hackers to take over accounts without requiring a password. Thankfully, these problems have now been addressed, though not without some controversy.

Security analyst BobDaHacker found that user email addresses could be easily accessed by muting an individual in the app. This vulnerability made it possible to reveal every Lovense user’s email with minimal effort.

By obtaining the email, hackers were able to create a valid gtoken without needing a password, thus gaining full access to a Lovense account. The researchers alerted Lovense about the issue in late March, and they promised to implement fixes.

In June 2025, Lovense communicated to the researchers that the resolution would take 14 months because of concerns regarding pressuring legacy users to upgrade the application. Partial remedies were put in place, but the issues continued. On July 28, researchers announced that Lovense was still leaking emails, affecting over 11 million user accounts.

“We could have effortlessly gathered emails from any public username listings,” BobDaHacker remarked in a blog entry. This was especially troubling for cam models who publicly disclose their usernames but prefer to keep their personal emails confidential.

The news began to spread, and other researchers disclosed that the vulnerability had been known since 2022, with Lovense having shut down the issue without providing a solution. After two more days of media attention, Lovense finally implemented fixes for both vulnerabilities on July 30.

This isn’t the first time Lovense has encountered a security problem. In 2017, the firm faced criticism when it was revealed that its app was recording users during operation. Lovense addressed that concern, clarifying that the audio data was never transmitted to their servers.