Lovense Users at Risk as Email Leak Vulnerability Remains Unpatched

A serious privacy flaw in the connected sex toy ecosystem Lovense has left millions of users vulnerable to doxxing and harassment. Despite being informed months ago, the company has yet to fix the issue, exposing the personal email addresses of anyone whose username is publicly known.

Email Exposure Flaw Still Active After Months

A zero-day vulnerability in Lovense’s app infrastructure can allow an attacker to reveal a user’s email address simply by knowing their Lovense username. This kind of flaw is especially dangerous given that many users — including adult content creators — share their usernames publicly on forums, cam platforms, or fan services.

The vulnerability, first discovered by security researcher BobDaHacker alongside collaborators Eva and Rebane, exploits the way Lovense handles usernames and its chat system. With a few API requests and some basic scripting, the email address tied to any known username can be exposed in under a second.

And it gets worse: the user doesn’t have to accept any friend requests or interact with the attacker for the data to be leaked.

How the Exploit Works, Step by Step

The core of the problem lies in Lovense’s integration between its chat system (based on XMPP) and backend API authentication. Here’s how the attack unfolds:

The attacker logs in to the Lovense API using their credentials to receive a “gtoken” and encryption keys.
They encrypt a known Lovense username with those keys.
The encrypted payload is sent to a specific API endpoint.
The server responds with an email-based Jabber ID that reveals the real email address embedded within it.

Even more concerning, the entire process can be automated and scaled — researchers confirmed scripts could perform these lookups in under a second per user.

Public Usernames Make Exploitation Easy

One of the most troubling aspects of the flaw is just how easy it is to gather target usernames. Many Lovense users share their handles on platforms like Reddit, cam sites, or community forums. Cam models especially are at risk — their usernames are often tied to professional personas, and this bug can bridge the gap to their private contact info.

Researchers also flagged Lovense’s own tools, like the FanBerry extension, as possible vectors to collect usernames en masse. Since cam models frequently reuse usernames across platforms, attackers can sweep up thousands of accounts with minimal effort.

And the researchers didn’t need theoretical proof — they created test accounts, replicated the flaw live, and demonstrated successful email extraction from real usernames.

Lovense Response: Mixed Messages and Long Timelines

The vulnerabilities were reported to Lovense on March 26, 2025. The company responded, acknowledging the account hijack flaw but downplaying the email leak, saying it was already known and addressed in an upcoming version.

Only part of that turned out to be true.

The critical account hijack issue — which let attackers generate login tokens using only an email address, no password required — was eventually patched. But that took months, and even then, researchers found the fix incomplete until July.

As for the email exposure bug? That remains active, according to tests conducted as recently as this month.

Lovense claimed it needed 14 months to fully resolve the flaw because the fix would break backward compatibility with older app versions. The researchers weren’t impressed.

In one statement, BobDaHacker wrote:
“Your users deserve better. Stop putting old app support over security. Actually fix things. And test your fixes before saying they work.”

A Problem Years in the Making

Unfortunately, this isn’t Lovense’s first brush with privacy issues. Back in 2016, the company faced criticism for exposing email addresses and even allowing attackers to verify whether a specific email had an account on the platform.

This time, however, the stakes are arguably higher. The user base has grown significantly — Lovense claims to serve over 20 million customers worldwide — and the integration of remote features in camming and long-distance intimacy apps means private usernames are now deeply public.

And the researchers weren’t exaggerating the risk. They showed BleepingComputer that the vulnerability still worked even after Lovense claimed to have deployed a mitigation proxy update on July 3.

The updated app didn’t fix the issue either.

Who’s at Risk — And Why It Matters

This kind of exposure isn’t just a technical hiccup. It could have real-world consequences:

Cam models, who depend on privacy, could face harassment, threats, or doxxing.
Everyday users might unknowingly link their sex toy usage to work or personal email addresses.
Attackers could build massive datasets by scraping forums for usernames and bulk extracting emails.

Even without full account hijacking, linking usernames to emails opens the door to phishing attacks, account resets, or blackmail.

And Lovense users often have little idea their email could be exposed by simply using the platform — or even just muting someone in chat, as was the researcher’s original trigger for discovering the flaw.

Lovense’s Path Forward Remains Unclear

While the company has promised a long-term fix and even paid the researchers $3,000 for their disclosures, they’ve also misrepresented the timeline and scope of their responses. Lovense’s decision to prioritize legacy support over an immediate fix has drawn significant backlash from the security community.

“Choosing stability over safety,” one researcher quipped on Mastodon.

Whether Lovense will speed up its fix now that the issue is public remains to be seen. The longer it waits, the more time attackers have to exploit what’s essentially an open secret in the security world.

BleepingComputer contacted Lovense for comment — as of now, they haven’t responded.