The Lovense email leak has exposed users of the popular sex tech brand to serious privacy risks, allowing attackers to extract plaintext email addresses using only usernames. Security researchers say the company failed to fix the flaw for more than a year—even after multiple disclosures.
Ethical hacker BobDaHacker first discovered the issue while casually using the app. After muting another user, he noticed the API returned their email address. That sparked a deeper investigation, revealing that anyone could extract a user’s real email address from their public username using a straightforward attack chain.
Exploiting the flaw takes seconds
The vulnerability hinges on multiple unsecured APIs and weak authentication flows. Attackers can:
- Generate encryption tokens using account credentials
- Encrypt any public username using the provided keys
- Decrypt returned fake email addresses from the server
- Connect to Lovense’s XMPP server and match them to real addresses
The entire attack takes 30 seconds manually—or less than a second with a script.
Worse still, a second flaw lets attackers generate authorization tokens without passwords. This allowed anyone to hijack accounts by knowing only an email address, including admin and cam model accounts tied to Lovense tools like SteamMaster and Cam101.
Flaws still not fully fixed
According to BobDaHacker, Lovense took more than 14 months to partially address the issue. In July 2025, he reported that the API still generates tokens—though they don’t work on most endpoints. The researcher criticized the company’s delay, stating it would rather expose user data than force app updates.
Another researcher, Krissy, said she found the same issue back in September 2023 with her friend SkeletalDemise. Their method didn’t even require XMPP—it relied on a simple API call that allowed username-to-email and email-to-username conversion.
Krissy claims Lovense marked the vulnerability as “resolved” while continuing to allow the bug to exist silently. She received only $350 in bounty rewards, while BobDaHacker and co. earned $3,000. She has since asked for her bounty to be re-evaluated.
Risk to cam models and users
Lovense’s devices are widely used by cam models and privacy-conscious users. The leaked data puts them at risk of doxxing, phishing, and harassment. Researchers now recommend users rely on burner emails and reconsider trusting a platform that “takes 4+ months to half-fix critical bugs.”
Conclusion
The Lovense email leak highlights the risks of poorly secured APIs and unaddressed vulnerabilities in consumer tech. While some fixes have been applied, researchers say the issue isn’t fully resolved. For users, the breach is a stark reminder that even in intimate tech spaces, data safety is far from guaranteed.
0 responses to “Lovense email leak exposes users after months of warnings”