Lovense has finally fixed its account takeover problem

Lovense is well-known for its selection of remote-controlled vibrators. It’s slightly less known for a massive security issue that exposed user emails and allowed accounts to be wholly taken over by a hacker without even needing a password. Fortunately, both issues have been fixed, but it didn’t happen without some drama. 

As the story goes, security researcher BobDaHacker (with some help) accidentally found out that you could uncover a user’s email address pretty easily by muting someone in the app. From there, they were able to figure out that you could do this with any user account, effectively exposing every Lovense user’s email without much effort. 

With the email in hand, it was then possible to generate a valid gtoken without a password, giving a hacker total access to a person’s Lovense account with no password necessary. The researchers told Lovense of the issue in late March and were told that fixes were incoming. 

In June 2025, Lovense told the researchers that the fix would take 14 months to implement because it did not want to force legacy users to upgrade the app. Partial fixes were implemented over time, only partially fixing the problems. On July 28, the researchers posted an update showing that Lovense was still leaking emails and had exposed over 11 million user accounts. 

"We could have easily harvested emails from any public username list," BobDaHacker said in a blog post. "This is especially bad for cam models who share their usernames publicly but obviously don't want their personal emails exposed."

It was around then that the news started making its way around the news cycle. Other researchers began reaching out to show that the exploit had actually been known as far back as 2022, and Lovense had closed the issue without issuing a fix. After two more days in the news cycle, the sex toy company finally rolled out fixes for both exploits on July 30. 

It’s not Lovense’s first roll in the mud. In 2017, the company was caught with its proverbial pants down after its app was shown to be recording users while they were using the app and toy. Lovense fixed that issue as well, stating that the audio data was never sent to their servers.