Latest news with #BobDaHacker
Yahoo
01-08-2025
- Yahoo
Sex toy maker Lovense threatens legal action after fixing security flaws that exposed users' data
Lovense, a maker of internet-connected sex toys, has confirmed it has fixed a pair of security vulnerabilities that exposed users' private email addresses and allowed attackers to remotely take over any user's account. While the company said the bugs were 'fully resolved,' its chief executive is now considering taking legal action following the disclosure. In a statement shared with TechCrunch, Lovense CEO Dan Liu said the sex toy maker was 'investigating the possibility of legal action' in response to allegedly erroneous reports about the bug. When asked by TechCrunch, the company did not respond to clarify whether it was referring to media reports or a security researcher's disclosure. Details of the bug emerged this week after a security researcher, who goes by the handle BobDaHacker, disclosed that they reported the two security bugs to the sex toy maker earlier this year. The researcher published their findings after Lovense claimed it would take 14 months to fully address the vulnerabilities rather than applying a 'faster, one-month fix' that would have required alerting users to update their apps. Lovense said in its statement, attributed to Liu, that the fixes put in place will require users to update their apps before they can resume using all of the app's features. In the statement, Liu claimed that there is 'no evidence suggesting that any user data, including email addresses or account information, has been compromised or misused.' It's not clear how Lovense came to this conclusion, given TechCrunch (and other outlets) verified the email disclosure bug by setting up a new account and asking the researcher to identify the associated email address. TechCrunch asked Lovense what technical means, such as logs, the company has to determine if there was any compromise of users' data, but a spokesperson did not respond. It's not unheard of for organizations to resort to legal demands and threats to try to block the disclosure of embarrassing security incidents, despite few rules or restrictions in the U.S. prohibiting such reporting. Earlier this year, a U.S. independent journalist rebuffed a legal threat from a U.K. court injunction for accurately reporting a ransomware attack on U.K. private healthcare giant HCRG. In 2023, a county official in Hillsborough County, Florida, threatened criminal charges against a security researcher under the state's computer hacking laws for identifying and privately disclosing a security flaw in the county's court records system that exposed access to sensitive filings.


TechCrunch
01-08-2025
- TechCrunch
Sex toy maker Lovense threatens legal action after fixing security flaws that exposed users' data
Lovense, a maker of internet-connected sex toys, has confirmed it has fixed a pair of security vulnerabilities that exposed users' private email addresses and allowed attackers to remotely take over any user's account. While the company said the bugs were 'fully resolved,' its chief executive is now considering taking legal action following the disclosure. In a statement shared with TechCrunch, Lovense CEO Dan Liu said the sex toy maker was 'investigating the possibility of legal action' in response to allegedly erroneous reports about the bug. When asked by TechCrunch, the company did not respond to clarify whether it was referring to media reports or a security researcher's disclosure. Details of the bug emerged this week after a security researcher, who goes by the handle BobDaHacker, disclosed that they reported the two security bugs to the sex toy maker earlier this year. The researcher published their findings after Lovense claimed it would take 14 months to fully address the vulnerabilities rather than applying a 'faster, one-month fix' that would have required alerting users to update their apps. Lovense said in its statement, attributed to Liu, that the fixes put in place will require users to update their apps before they can resume using all of the app's features. In the statement, Liu claimed that there is 'no evidence suggesting that any user data, including email addresses or account information, has been compromised or misused.' It's not clear how Lovense came to this conclusion, given TechCrunch (and other outlets) verified the email disclosure bug by setting up a new account and asking the researcher to identify the associated email address. TechCrunch asked Lovense what technical means, such as logs, the company has to determine if there was any compromise of users' data, but a spokesperson did not respond. It's not unheard of for organizations to resort to legal demands and threats to try to block the disclosure of embarrassing security incidents, despite few rules or restrictions in the U.S. prohibiting such reporting. Earlier this year, a U.S. independent journalist rebuffed a legal threat from a U.K. court injunction for accurately reporting a ransomware attack on U.K. private healthcare giant HCRG. In 2023, a county official in Hillsborough County, Florida, threatened criminal charges against a security researcher under the state's computer hacking laws for identifying and privately disclosing a security flaw in the county's court records system that exposed access to sensitive filings.


Hindustan Times
31-07-2025
- Hindustan Times
Millions of sex toy users had emails and accounts exposed by app flaw
A security researcher has claimed that serious flaws in the Lovense app exposed users' email addresses and allowed full account takeovers for months, potentially exposing their purchase history. A security flaw in a sex toy app exposed users' email addresses (Representational image) Lovense, a popular maker of internet-connected sex toys with over 20 million users, was first alerted to the vulnerabilities in March. But according to the researcher, who goes by the handle BobDaHacker, the company delayed addressing the issues. One of them has still not been fully fixed. Emails exposed through app interactions The researcher discovered that while using the Lovense app, it was possible to see other users' email addresses through a network analysis tool. He discovered this vulnerability when he muted his ex-partner's account and it exposed their email. 'Just muting someone exposed their email… After digging deeper, I figured out how to turn any username into their email address,' the security researcher wrote in a blog post. 'This was especially bad for cam models who share their usernames publicly but obviously don't want their personal emails exposed.' A TechCrunch report confirmed the vulnerability by creating a new account and asking the researcher to find the registered email, which they did in under a minute. According to BobDaHacker, a script could reportedly automate this process in less than a second — potentially exposing millions of users and their purchasing activity. Account takeover possible with just an email A second vulnerability discovered by the researcher allowed anyone to take over a Lovense user's account using just their email address. The flaw involved the ability to generate valid authentication tokens without needing the user's password. 'Cam models use these tools for work, so this was a huge deal. Literally anyone could take over any account just by knowing the email address,' BobDaHacker said. Lovense says it's fixing the bugs… eventually Lovense was informed of the issues on March 26, via the Internet of Dongs — a project that helps report security flaws in sex tech. The company paid the researcher $3,000 through HackerOne as part of a bug bounty. However, after months of discussions, Lovense reportedly said it would need 14 months to roll out a fix for the email disclosure issue in order to avoid disrupting users with legacy devices. 'We also evaluated a faster, one-month fix. However, it would require forcing all users to upgrade immediately, which would disrupt support for legacy versions,' Lovense told the researcher, according to the blog post. In a recent statement to Bleeping Computer, Lovense said an app update 'addressing the latest vulnerabilities' has been submitted to app stores. 'The full update is expected to be pushed to all users within the next week,' the company said.


The Irish Sun
30-07-2025
- The Irish Sun
Major ‘sex toy leak' reveals shoppers who bought them and even ‘personal emails' as company scrambles to fix bug
SHOPPERS have had their cheeky purchases leaked, and possibly their accounts hacked, following the breach of a popular sex toy app. Lovense, which makes internet-connected sex toys, reportedly left user emails exposed for months without fixing the cybersecurity flaw. 2 Lovense is a Singapore-based sex tech company Credit: Shutterstock Editorial 2 The Lovense platform is connected to the company's sex toy products, which can be controlled from afar via the app Credit: Lovense In All it took to expose someone's email address, according to the researcher, was to mute someone's account. BobDaHacker told Lovense about the vulnerability in March. However, they claim the company waited months before fixing it, and still hasn't fully addressed the issue. READ MORE ON APPS The Lovense platform is connected to the company's sex toy products, which can be controlled from afar via the app. The app is also used to "find like-minded thrill seekers", according to the company, and came under fire in 2017 for a "minor bug" that recorded users' sex sessions . BobDaHacker says they have developed a script that can convert someone's username into an email address in less than a second. 'This is especially bad for cam models who share their usernames publicly but obviously don't want their personal emails exposed,' BobDaHacker writes in their post. Most read in Tech A user's email address, combined with an authentication token generated by Lovense and captured by a hacker, is enough to take over a user's account. The account takeover bug was fixed in April, according to Lovense. Save money over summer on TV, games and even FOOD with app tricks Although BobDaHacker disputes this, and says that a fix for the email leak issue would take 14 months to roll out. 'We also evaluated a faster, one-month fix," Lovense said, according to BobDaHacker. "However, it would require forcing all users to upgrade immediately, which would disrupt support for legacy versions." Other security researchers reported the same account takeover bug to Lovense in 2023, according to BobDaHacker. But In a statement to 'The full update is expected to be pushed to all users within the next week,' Lovense says. 'Once all users have updated to the new version and we disable older versions, this issue will be completely resolved.' The Sun has contacted Lovense for comment.


Scottish Sun
30-07-2025
- Scottish Sun
Major ‘sex toy leak' reveals shoppers who bought them and even ‘personal emails' as company scrambles to fix bug
fire in 2017 for a "minor bug" that The app is also used to "find like-minded thrill seekers", according to the company, and came under fire in 2017 for a "minor bug" that recorded users' sex sessions SEX-POSED! Major 'sex toy leak' reveals shoppers who bought them and even 'personal emails' as company scrambles to fix bug Click to share on X/Twitter (Opens in new window) Click to share on Facebook (Opens in new window) SHOPPERS have had their cheeky purchases leaked, and possibly their accounts hacked, following the breach of a popular sex toy app. Lovense, which makes internet-connected sex toys, reportedly left user emails exposed for months without fixing the cybersecurity flaw. Sign up for Scottish Sun newsletter Sign up 2 Lovense is a Singapore-based sex tech company Credit: Shutterstock Editorial 2 The Lovense platform is connected to the company's sex toy products, which can be controlled from afar via the app Credit: Lovense In a blog post, security researcher BobDaHacker writes that they discovered a flaw that allowed anyone to 'turn any username into their email address,' which could then be used to take over someone's account. All it took to expose someone's email address, according to the researcher, was to mute someone's account. BobDaHacker told Lovense about the vulnerability in March. However, they claim the company waited months before fixing it, and still hasn't fully addressed the issue. The Lovense platform is connected to the company's sex toy products, which can be controlled from afar via the app. The app is also used to "find like-minded thrill seekers", according to the company, and came under fire in 2017 for a "minor bug" that recorded users' sex sessions. BobDaHacker says they have developed a script that can convert someone's username into an email address in less than a second. 'This is especially bad for cam models who share their usernames publicly but obviously don't want their personal emails exposed,' BobDaHacker writes in their post. A user's email address, combined with an authentication token generated by Lovense and captured by a hacker, is enough to take over a user's account. The account takeover bug was fixed in April, according to Lovense. Save money over summer on TV, games and even FOOD with app tricks Although BobDaHacker disputes this, and says that a fix for the email leak issue would take 14 months to roll out. 'We also evaluated a faster, one-month fix," Lovense said, according to BobDaHacker. "However, it would require forcing all users to upgrade immediately, which would disrupt support for legacy versions." Other security researchers reported the same account takeover bug to Lovense in 2023, according to BobDaHacker. But The Verge noted that the company appears to have closed the bug without actually fixing it. In a statement to Bleeping Computer, Lovense says it has submitted an app update 'addressing the latest vulnerabilities' to app stores. 'The full update is expected to be pushed to all users within the next week,' Lovense says. 'Once all users have updated to the new version and we disable older versions, this issue will be completely resolved.' The Sun has contacted Lovense for comment.