Once again, we’re watching a tech company fail to protect users’ private data. Lovense, the maker of internet-connected sex toys used by over 20 million people, let two serious security flaws sit for months. One exposed users’ email addresses. The other could let someone hijack their entire account and control their connected devices, using nothing more than an email address.
In both cases, the company knew about the issues. In both cases, they delayed full fixes. In the process, they showed exactly how not to handle security in products built for our most intimate moments.
Two Bugs. Two Very Big Problems.
The first bug leaked users’ email addresses. It didn’t show up on screen but anyone using basic network monitoring tools could intercept it while interacting with the app. That’s a nightmare scenario for users who share their usernames publicly (like cam models or adult content creators) who now face the risk of being doxxed or harassed.
The second bug was even worse. It allowed anyone to take over a user’s account simply by knowing their email address. No password. No verification. Just an email. From there, the attacker could control any connected Lovense device.
Security researcher BobDaHacker flagged both bugs to Lovense through the Internet of Dongs project back in March 2024. According to Bob, the email-leaking flaw may have existed as far back as September 2023.
Lovense’s 14-Month Excuse
Lovense didn’t deny the flaws. But they did offer a puzzling explanation: they claimed it would take 14 months to fully fix both issues without cutting off access for users of older devices. A quicker, one-month fix was rejected because it would’ve forced users to upgrade immediately, something the company said it wanted to avoid.
The idea, according to Lovense, was to avoid disrupting service for legacy users. That tradeoff of delaying security later for convenience left all users vulnerable in the meantime. This isn’t new territory for Lovense. Back in 2017, the company came under fire for a so-called “minor bug” that recorded users’ sex sessions without their knowledge.
Despite the severity of the flaws, Lovense dragged its feet. It took public pressure for the company to act. Eventually, BobDaHacker confirmed that Lovense had closed off the email leak and blocked the account hijack trick. This only happened months after the initial disclosure. Lovense even awarded the researcher a $3,000 bug bounty, but has yet to publicly address the situation, or respond to media requests. How many more security issues has Lovense quietly patched or quietly ignored?
A Wake-Up Call for the Internet of Things
The Lovense incident isn’t happening in a vacuum. It comes on the heels of the Tea app breach, another case where deeply personal data was mishandled. Together, these breaches highlight a dangerous trend in the Internet of Things (IoT): tech companies are racing to connect everything to the cloud without building in the privacy protections users need.
This affects more than just Lovense users. Any company building smart, connected, or intimate devices should see this as a clear warning. If you can’t protect your users from basic privacy threats, you shouldn’t be handling their data or their devices.
What Needs to Happen Now?
First, Lovense should be investigated. Not just for these bugs, but for how long it took to address them. Regulators need to step in, and fast. The idea that a company can knowingly leave users exposed for over a year because it’s more “convenient” is unacceptable when the risks involve physical and psychological harm.
Second, we need industry-wide reform. Companies making smart sex toys, or any IoT health device, should be held to the same security and privacy standards as health tech. This includes faster vulnerability disclosures, mandatory upgrade paths, and transparent communication when things go wrong.
When it comes to intimate tech, privacy isn’t a feature. It’s the foundation and Lovense’s handling of these security flaws shows how quickly things can fall apart.
If companies want users to trust them with their most private moments, they need to start acting like it. That means fixing problems fast, owning up to mistakes, and putting user safety first, even if it’s inconvenient. Because in the world of connected intimacy, a “minor” bug isn’t just bad PR. It’s a breach of trust with real human consequences.
