In an alarming turn of events, a zero-day vulnerability in the Lovense app, designed for remotely controlling various sex toys, poses significant risks to user privacy. With just a username, hackers can potentially obtain email addresses and other sensitive information, as well as hijack user accounts.

The vulnerability was initially flagged back in March, but the extent of its implications has only recently come to light. According to reports, the security researcher BobDaHacker discovered the flaw while using the app. “It started when I muted someone. Then I saw the API response and was surprised to find email addresses visible, which shouldn’t be the case,” he explained.

Despite Lovense’s claims of having addressed the issue since its disclosure, tests conducted by Bob and fellow researchers demonstrated that the fixes provided were insufficient, as vulnerabilities remained viable until late July 2025. Lovense has communicated that resolving this problem will require extensive architectural changes, which might disrupt support for older versions of the app. Bob advises users to consider using temporary email addresses with the app, given the ongoing risks associated with these flaws.