In what may be the most consequential connected sex toy security incident to date, Lovense — the market leader in app-controlled intimate devices — was found to have two critical vulnerabilities that put over 20 million users' personal data at risk. The flaws were discovered by security researcher BobDaHacker, working with researchers Eva and Rebane, who first notified Lovense on March 26, 2024.
Why It Matters
With 20 million users and expanding into AI companion robots, Lovense's security track record raises fundamental questions about whether the teledildonics industry can adequately protect the most intimate data imaginable. The company's attempt to suppress disclosure through legal threats, rather than thanking researchers, sets a dangerous precedent for IoT sex toy security research.The first vulnerability allowed complete account hijacking: using only an email address, an attacker could generate authentication tokens through the /api/wear/genGtoken endpoint without needing a password. These tokens worked across Lovense Connect, StreamMaster, and Cam101 platforms — including admin accounts. The second flaw was even more insidious: through a multi-step attack exploiting Lovense's XMPP chat system, an attacker could extract any user's private email address using only their publicly visible username, in less than one second per user, with full automation capability.
The timeline of Lovense's response drew sharp criticism. After the March 2024 disclosure, the company fixed the account hijacking flaw by July 2024 but told researchers the email harvesting vulnerability would take 14 months to fix due to backward compatibility concerns with older app versions. When the researchers went public in late July 2025, Lovense patched the "14-month fix" in just 2 days — undermining their earlier timeline claim entirely.
Lovense then threatened legal action against the security researchers who had disclosed the vulnerabilities, a move that TechCrunch's security editor Zack Whittaker covered on August 1, 2025. This is not Lovense's first security incident: in 2017, the company's app was found to be recording private intimate moments without user consent.
The incident is particularly concerning given that Lovense simultaneously launched Emily, its $4,000–$8,000 AI companion robot at CES 2026, which collects even more intimate data including conversational memories and behavioral patterns.
Sources
- Sex Toy Maker Lovense Threatens Legal Action After Fixing Security Flaws — TechCrunch
- Critical Lovense Security Vulnerabilities Expose User Data — CyberSecureFox
- Lovense Security Flaw May Let People Take Over Accounts — Engadget
Update — 2026-03-14
Initial entry — story first created.