Lovense, a maker of internet-connected sex toys, has confirmed it has fixed a pair of security vulnerabilities that exposed users’ private email addresses and allowed attackers to remotely take over any user’s account.
While the company said the bugs were “fully resolved,” its chief executive is now considering taking legal action following the disclosure.
In a statement shared with TechCrunch, Lovense CEO Dan Liu said the sex toy maker was “investigating the possibility of legal action” in response to allegedly erroneous reports about the bug. When asked by TechCrunch, the company did not respond to clarify whether it was referring to media reports or to a security researcher’s disclosure.
Details of the bug emerged this week after a security researcher, who goes by the handle BobDaHacker, disclosed that they reported the two security bugs to the sex toy maker earlier this year. The researcher published their findings after Lovense claimed it would take 14 months to fully address the vulnerabilities rather than applying a “faster, one-month fix” that would have required alerting users to update their apps.
Lovense said in its statement, attributed to Liu, that the fixes put in place will require users to update their apps before they can resume using all of the app’s features.
In the statement, Liu claimed that there is “no evidence suggesting that any user data, including email addresses or account information, has been compromised or misused.” It’s not clear how Lovense came to this conclusion, given TechCrunch (and other outlets) verified the email disclosure bug by setting up a new account and asking the researcher to identify the associated email address.
TechCrunch asked Lovense what technical means, such as logs, the company has to determine if there was any compromise of users’ data, but a spokesperson did not respond.
It’s not unheard of for organizations to resort to legal demands and threats to try to block the disclosure of embarrassing security incidents, despite few rules or restrictions in the U.S. prohibiting such reporting.
Earlier this year, a U.S. independent journalist rebuffed a legal threat from a U.K. court injunction for accurately reporting a ransomware attack on U.K. private healthcare giant HCRG. In 2023, a county official in Hillsborough County, Florida, threatened criminal charges against a security researcher under the state’s computer hacking laws for identifying and privately disclosing a security flaw in the county’s court records system that exposed access to sensitive filings.
