The Lovense app, a platform for connected sex toys, recently faced a critical security issue that exposed user email addresses. This vulnerability allowed attackers to retrieve private emails with just a username, posing serious risks of doxxing, harassment, and account abuse.
How the Lovense Flaw Worked
Security researcher discovered a zero-day flaw in Lovense’s communication system. By exploiting the interaction between the XMPP chat and the backend API, attackers could convert a public username into a private email address.
Exploitation Steps
The attack chain was simple and highly automated:
-
Generate an authentication token (gtoken) using the
/api/wear/genGtoken
endpoint. -
Encrypt a known username and submit it to the
/app/ajaxCheckEmailOrUserIdRegisted
API endpoint. -
Retrieve a fake Jabber ID (JID), add it to the contact list, and refresh to reveal the actual email embedded in the real JID.
Researchers demonstrated that this could be completed in under one second per target. Public usernames on forums and social media made it easy to identify potential victims.
Wider Risks for Users and Cam Models
The flaw carried serious privacy risks for Lovense’s 20 million users, especially cam models who publicly share their usernames. Exposed emails could lead to:
-
Harassment and doxxing
-
Phishing attacks
-
Blackmail attempts
This case highlights the privacy risks of IoT devices and connected platforms, where even usernames can become gateways to private information.
Lovense’s Response and Delayed Patches
Researchers reported the flaws on March 26, 2025. While Lovense initially fixed a critical account hijacking flaw, the company delayed resolving the email leak, citing compatibility issues with older app versions.
Lovense chose a 14‑month remediation plan instead of a rapid forced update. According to BobDaHacker, the company repeatedly claimed the flaws were fixed while the vulnerability persisted.
Only in late July 2025 did Lovense confirm that both the email leak and token generation flaw were fully resolved.
Cybersecurity Lessons
This incident shows how delayed vulnerability remediation puts users at risk. Companies handling sensitive data must:
-
Prioritize security over legacy app support
-
Implement API hardening and proper token management
-
Adopt privacy-by-design principles
Businesses using connected devices or remote user platforms should consider advanced cybersecurity monitoring and incident response services to prevent similar breaches.
Read the full article of BleepingComputer here.