Sex toy maker Lovense threatens legal action after fixing security flaws that exposed users' data
While the company said the bugs were 'fully resolved,' its chief executive is now considering taking legal action following the disclosure.
In a statement shared with TechCrunch, Lovense CEO Dan Liu said the sex toy maker was 'investigating the possibility of legal action' in response to allegedly erroneous reports about the bug. When asked by TechCrunch, the company did not respond to clarify whether it was referring to media reports or a security researcher's disclosure.
Details of the bug emerged this week after a security researcher, who goes by the handle BobDaHacker, disclosed that they reported the two security bugs to the sex toy maker earlier this year. The researcher published their findings after Lovense claimed it would take 14 months to fully address the vulnerabilities rather than applying a 'faster, one-month fix' that would have required alerting users to update their apps.
Lovense said in its statement, attributed to Liu, that the fixes put in place will require users to update their apps before they can resume using all of the app's features.
In the statement, Liu claimed that there is 'no evidence suggesting that any user data, including email addresses or account information, has been compromised or misused.' It's not clear how Lovense came to this conclusion, given TechCrunch (and other outlets) verified the email disclosure bug by setting up a new account and asking the researcher to identify the associated email address.
TechCrunch asked Lovense what technical means, such as logs, the company has to determine if there was any compromise of users' data, but a spokesperson did not respond.
It's not unheard of for organizations to resort to legal demands and threats to try to block the disclosure of embarrassing security incidents, despite few rules or restrictions in the U.S. prohibiting such reporting.
Earlier this year, a U.S. independent journalist rebuffed a legal threat from a U.K. court injunction for accurately reporting a ransomware attack on U.K. private healthcare giant HCRG. In 2023, a county official in Hillsborough County, Florida, threatened criminal charges against a security researcher under the state's computer hacking laws for identifying and privately disclosing a security flaw in the county's court records system that exposed access to sensitive filings.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Washington Post
44 minutes ago
- Washington Post
Federal appeals court clears DOGE to access sensitive records at agencies
A divided appeals court panel on Tuesday said the Trump administration's U.S. DOGE Service can access sensitive data held by federal agencies, rejecting concerns that the move runs afoul of privacy law. In a 2-1 decision, a panel from the U.S. Court of Appeals for the 4th Circuit concluded that plaintiffs in the case, a group that includes labor unions and individual people receiving government benefits, had failed to show they could prevail in their legal challenge. The plaintiffs had asked courts to keep DOGE representatives from accessing personal information held by the Treasury Department, Office of Personnel Management and Education Department, saying that this action violated federal privacy law. Judge Julius N. Richardson, joined by Judge G. Steven Agee, wrote that the plaintiffs in the case "have struggled to show" they suffered harm in the case. Federal privacy law 'does not prohibit sharing information with those whose jobs give them good reason to access it,' Richardson wrote. He also suggested it made sense that DOGE affiliates 'tasked with modernizing an agency's software and IT systems would require administrator-level access to those systems, including any internal databases.' Richardson was nominated to the bench by Trump during his first term; Agee was nominated by President George W. Bush. Trump in January signed an executive order creating DOGE — which stands for the Department of Government Efficiency, though it is not a Cabinet-level agency — and ordered agency heads to give it 'full and prompt access to all unclassified agency records, software systems, and IT systems.' DOGE has been one of the most contentious initiatives of Trump's second term, spurring internal disputes within the administration and legal challenges. Trump ally Elon Musk oversaw it before he stepped away from the government. Plaintiffs in this case had sued to block DOGE from accessing personal information, and a judge in Maryland granted the request. The Trump administration appealed, accusing the judge of micromanaging the Executive Branch. Richardson and Agee agreed in April to stay the lower court's action amid the administration's appeal. Writing on Tuesday, the judges pointed to a U.S. Supreme Court order in another dispute involving DOGE and sensitive data. The high court in June had cleared the way for DOGE to access Social Security Administration data in a separate case, saying this was needed for its 'members to do their work.' 'This case and that one are exceedingly similar,' Richardson, joined by Agee, wrote Tuesday. They vacated the lower court's order and sent the matter back there for further proceedings. In a dissent, Judge Robert B. King wrote that the lower court had 'acted quickly — but extremely carefully' in temporarily blocking DOGE from accessing certain information. King, who was nominated by President Bill Clinton, said he would have kept the lower court order in place.
Forbes
3 hours ago
- Forbes
Cyber Resilience Must Become The Third Pillar Of Security Strategy
For years, enterprise security has been built around two main pillars: prevention and detection. Firewalls, endpoint protection, and intrusion detection systems all aim to stop attackers before they do damage. But as threats grow more sophisticated, it's clear that this isn't enough. 'Cloud insecurity is inevitable,' says Kavitha Mariappan, chief transformation officer at Rubrik. The phrase reflects a shift in mindset taking hold across the industry: breaches will happen, and organizations need to prepare to recover as quickly and completely as possible. That requires elevating cyber resilience to stand alongside prevention and detection as an equal pillar of security strategy. Why Resilience Matters Now Mariappan has spent years in the prevention-and-detection world and understands its limits. 'We've built entire strategies around stopping attacks, with the belief that all attacks are preventable. They're not,' she says. Richard Stiennon, chief research analyst at IT-Harvest, sees Mariappan's approach as a natural progression that he describes as hyper-layers of defense. 'Prevention is always the best and provides immediate benefits. While needed, detection opens a can of worms and adds to workloads. If all else fails, the resilience layer ensures that the impact of a successful breach is minimized or at least contained.' Attackers today exploit sprawling, complex environments that span on-premises systems, multiple clouds, and hundreds of SaaS apps. Even the best defenses can't block every breach, whether it's from ransomware, insider threats, or supply chain compromises. Resilience — the ability to minimize damage, restore operations quickly, and maintain business continuity — is what keeps an incident from becoming a crisis. The Cloud Responsibility Gap The shift to cloud computing has created dangerous assumptions. Many organizations believe that moving workloads to AWS, Azure, or Google Cloud means the provider 'takes care of security.' While hyperscalers secure their infrastructure, customers are responsible for protecting their own data, configurations, and access. Think of it like a car. The manufacturer builds the car with an accelerator and steering wheel to let you get where you want to go as quickly and efficiently as possible, as well as brakes and a seatbelt to empower you to do so safely. Whether or how you use the tools provided is up to you. The same is true for the capabilities and security controls of cloud infrastructure. The hyperscalers provide the framework, but they're not responsible for how – or if – you use them. Native cloud backup and recovery tools are often designed for operational mishaps — such as restoring accidentally deleted files — not for withstanding modern cyberattacks. Mariappan warns that they can lack the immutability, isolation, and advanced threat detection needed to survive ransomware or coordinated, multi-vector campaigns. Resilience by Design Effective resilience starts with rethinking backup as more than a compliance checkbox. Immutable, air-gapped copies prevent attackers from tampering with recovery points. Built-in threat detection can spot ransomware or other malicious activity before it spreads. But technology alone isn't enough. Mariappan urges leaders to identify the 'minimum viable business' — the essential applications, accounts, and configurations required to function after an incident. Recovery strategies should be built around restoring these first to reduce downtime and financial impact. She also stresses the importance of limiting the blast radius. In a cloud context, that might mean segmenting workloads, isolating credentials, or designing architectures that prevent a single compromised account from jeopardizing an entire environment. The Quantum Horizon While most resilience planning focuses on immediate threats, Mariappan points to the 'harvest now, decrypt later' risk posed by quantum computing. Attackers can steal encrypted data today, store it cheaply, and wait until quantum capabilities make decryption trivial. That makes encryption hygiene and proactive re-encryption critical — not just after an incident, but as an ongoing practice. 'If the data was already taken, updating your encryption now is too late,' Mariappan notes. Breaking Down Silos Resilience planning often stalls because it lives in the wrong place. Backup and recovery budgets sit in IT infrastructure, while security teams focus on preventing attacks. Risk officers may own the broader business continuity mandate, but lack direct control over technical safeguards. Mariappan believes resilience should be a shared responsibility across IT, security, risk, and compliance — with executive and board-level engagement. 'This is no longer just an infrastructure problem,' she says. 'It's critical to the viability of the organization and the management of reputational risk.' Assume Breach The new playbook, she argues, is simple: assume breach. That means designing systems, processes, and teams to respond as if an attack has already succeeded. The goal is not to eliminate risk entirely — an impossible task — but to ensure the organization can recover without catastrophic losses. There's a cost to building resilience. It competes for budget with other security priorities. But the cost of not investing — weeks or months of downtime, regulatory penalties, damaged customer trust — is far higher. Mariappan puts it bluntly: 'More detection and prevention tools are not going to keep you 100% safe. Cyber resilience must be a first-class citizen in your security and risk strategy.'
Yahoo
5 hours ago
- Yahoo
AI companion apps on track to pull in $120M in 2025
Demand for AI 'companion' applications outside of bigger names, like ChatGPT and Grok, is growing. Of the 337 active and revenue-generating AI companion apps available worldwide, 128 were released in 2025 so far, according to new data provided to TechCrunch by app intelligence firm Appfigures. This subsection of the AI market on mobile has now generated $82 million during the first half of the year and is on track to pull in over $120 million by year-end, the firm's analysis indicates. Unlike general-purpose chatbots, AI companion apps anthropomorphize AI interactions by allowing users to converse with custom characters, including friends, lovers, girlfriends or boyfriends, fantasy characters, and more. Appfigures defined the market segment in the same way, describing companion apps as those in which the user can interact with either premade or user-generated synthetic characters meant to embody an actual personality. Popular apps in this space include Replika, PolyBuzz, Chai, and others. As of July 2025, AI companion apps across the Apple App Store and Google Play have been downloaded 220 million times globally. During the first half of 2025, downloads were up 88% year-over-year, reaching 60 million. Appfigures crunched the numbers and found that, as of July 2025, AI companion apps have driven $221 million in consumer spending worldwide. So far this year, these apps have generated 64% more revenue than during the same period in 2024. The top 10% of all AI companion apps generate 89% of the revenue in the category, the data shows. In addition, around 10% (or 33) of the apps have exceeded $1 million in lifetime consumer spending. Revenue per download is also up $0.66 from $0.52 in 2024 to $1.18 for the category so far in 2025. While dedicated AI companion apps are fairly popular, bigger companies like xAI are also moving into the market. In July, xAI's Grok launched AI companions, including an anime girl and guy, as well as a snarky 3D fox. Meanwhile, ChatGPT's recent upgrade to GPT-5 brought to light the fact that many of its users felt a kinship with the older model, as they mourned the loss of their AI companion, whom they had come to depend upon. To address these and other concerns about GPT-5's performance, OpenAI CEO Sam Altman brought back the 4o model for the time being. Google last year tapped into the market, too, when it hired away founder, Noam Shazeer. The app lives on and still has tens of millions of monthly active users. According to Appfigures' data, the most popular AI companion apps are those used by people looking for an AI girlfriend. Of the active apps on the market today, 17% have an app name that includes the word 'girlfriend,' compared with 4% that say 'boyfriend' or 'fantasy.' Terms like anime, soulmate, and lover, among others, are less frequently mentioned. The firm notes there were likely a number of other AI companion apps that launched on the app stores since 2022, but were later removed after failing to gain traction in terms of revenue or downloads. Those weren't factored into its analysis, however.
