Sex tech firm Lovense has issued updates to resolve security issues that not only leaked users' email addresses, but also enabled remote account takeovers.

According to TechCrunch, Lovense CEO Dan Liu emphasised the lack of evidence indicating the exposure and subsequent misuse of user information, including email addresses and other account details.

In an email to SC UK, a Lovense statement stressed that "user safety and privacy have always been our highest priorities at Lovense" and all identified vulnerabilities have been fully addressed, and there is no evidence suggesting that any user data, including email addresses or account information, has been compromised or misused.

The statement from Liu said that the security researcher identified two vulnerabilities in its systems:

• Email Address Exposure: A bug that could potentially expose email addresses associated with Lovense accounts through specific network activity.
• Account Takeover Risk: A vulnerability that may allow unauthorized access to accounts using email addresses without requiring passwords.

The company confirmed that the vulnerabilities were discovered under controlled conditions by the researcher, who is part of a bug bounty platform we joined in 2018, and not through malicious activity. 

No Compromise or Misuse

It also stated that “there is no evidence suggesting that any user data, including email addresses or account information, has been compromised or misused.”

Liu’s statement said the company regrets any concern this report may have caused, and it remains steadfast in protecting user privacy and security. To prevent similar issues in the future, it is:

• Strengthening collaboration with external security researchers and platforms to enhance detection and response times
• Proactively communicating with users about security updates to maintain transparency and trust. We will also be rolling out a statement to users about these vulnerabilities.  
• Conducting a comprehensive review of our security practices to proactively identify and resolve potential vulnerabilities

Lovense is also reportedly considering legal action against purportedly inaccurate reports regarding the vulnerabilities. Liu said the company was “investigating the possibility of legal action” in response to allegedly erroneous reports about the bug. When asked by TechCrunch, the company did not respond to clarify whether it was referring to media reports or to a security researcher’s disclosure.

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.