Red Hot Cyber, The cybersecurity news

Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Spanish Italian
Search

Lovense writes to Red Hot Cyber. The CEO provides clarification on security vulnerabilities.

Redazione RHC : 1 August 2025 10:50

Regarding our previous article about security bugs discovered in Lovesense devices (a leading company in the field of intimacy technology devices), the company has released an official statement to Red Hot Cyber.

This statement responds to recent concerns raised in the press about security bugs discovered in its products.

Dan Liu, CEO of Lovense, wanted to reassure customers and partners of its ongoing commitment to protecting user privacy and security through a press release that we are sharing with our partners. Readers.

The identified vulnerabilities

A security researcher, using a bug bounty platform in which Lovense has participated since 2018, identified two specific vulnerabilities:

  1. Email address exposure: A bug that could potentially expose email addresses associated with Lovense accounts through specific network activity.
  2. Account takeover risk: A vulnerability that could have allowed unauthorized access to accounts via email addresses, without the need for passwords.

It is important to emphasize that these vulnerabilities were discovered under controlled conditions and not through malicious activity. Below is the Lovesense press release in its entirety provided to Red Hot Cyber.

Statement Regarding Recent Lovense Security Vulnerabilities

Statement from the CEO of Lovense

At Lovense, maintaining the trust of our customers and partners is our highest priority. We are aware of the recent report regarding security vulnerabilities disclosed by a security researcher. We want to provide clarity on the situation and outline the steps we have taken to address these concerns.

Summary of the Issue

The security researcher identified two vulnerabilities in our systems:

1. Email Address Exposure: A bug that could potentially expose email addresses associated with Lovense accounts through specific network activity.
2. Account Takeover Risk: A vulnerability that may allow unauthorized access to accounts using email addresses without requiring passwords. These vulnerabilities were discovered under controlled conditions by the researcher, who is part of a bug bounty platform we joined in 2018, and not through malicious activity.

We want to reassure our customers that:
• All identified vulnerabilities have been fully addressed.
• As of today, there is no evidence suggesting that any user data, including email addresses or account information, has been compromised or misused.

Actions Taken

• The email address exposure vulnerability has been fully resolved, and updates have been deployed to all users. Users must upgrade to the latest version to properly access all functions that may be affected by this
vulnerability. While those who do not upgrade will not face security risks, certain features will become unavailable.
• The account takeover vulnerability has been fixed following verification by our team.
• In our commitment to privacy and security, we submitted these fixes to the bug bounty platform for further independent testing to ensure the robustness of our solutions. This is standard practice to safeguard user
privacy and security.

Response to Timeframe for Fixes

To illustrate our approach, consider Lovense as a complex machine, where each component must function harmoniously for overall safety and reliability. When a faulty gear is identified, we conduct immediate repairs while evaluating the entire system to ensure all parts work together seamlessly. 

Although vulnerabilities relate to email addresses, the conditions triggering those are distinct, which requires tailored solutions and thorough testing. We adopted a dual-track strategy of emergency response and long-term optimization.

The originally scheduled long term 14-month system reconstruction plan was completed significantly ahead of schedule due to the team's dedicated efforts and increased resource allocation. Reducing this comprehensive project to a simple "fixable in two days" is not only misleading but also overlooks the immense work put forth by our team.

Ensuring user safety has always been our core mission, a commitment reflected in our decision to join the HackerOne program in 2018. We are proud to be one of the earliest sex toy companies to have joined this initiative, demonstrating our dedication to user safety. We value the insights provided in the vulnerability disclosure report and appreciate the researcher's proactive approach. However, we must clarify that any accusations of neglect regarding user safety are unfounded.

Commitment to Data Security

We regret any concern this report may have caused and remain steadfast in protecting user privacy and security. To prevent similar issues in the future, we are:

• Conducting a comprehensive review of our security practices to proactively identify and resolve potential vulnerabilities.
• Strengthening collaboration with external security researchers and platforms to enhance detection and response times.
• Proactively communicating with users about security updates to maintain transparency and trust. We will also be rolling out a statement to users about these vulnerabilities.

In response to the numerous erroneous reports online, our legal team is investigating the possibility of legal action. Thank you for your understanding and continued trust in Lovense.

Kind Regards,
Dan Liu
CEO of Lovense

User interventions and safety

Lovense has already solved both problems. Specifically:

  • The email address exposure vulnerability has been fixed in an update distributed to all users. To continue using all features, you must update your device to the latest software version. Those who don’t update are not at risk of security, but some features may not be available.
  • The account takeover issue has been fixed after review by the internal team.

The implemented solutions have undergone further independent testing via the bug bounty platform, ensuring the robustness of the fixes.

Timeline and resolution process

CEO Liu explains that Lovense has A dual-track approach was adopted: urgent actions to mitigate risks now and a long-term review to optimize the system. The system rebuild plan, originally scheduled for 14 months, was completed ahead of schedule thanks to dedicated resources.

Lovense emphasizes that simplifying the work to a “two-day fix” is misleading and does not reflect the complex work carried out by the team.

Ongoing commitment and the future

Lovense is proud to be among the first sex tech companies to join the HackerOne program, demonstrating a historic commitment to user security. The company is committed to:

  • Comprehensively review security practices to prevent future vulnerabilities.
  • Strengthen collaboration with external researchers and bug bounty platforms.
  • Transparently communicate with users about security updates.

Lovense has also announced that it intends to take legal action against numerous erroneous reports. and misleading claims that appeared online.

Conclusions

CEO Dan Liu concludes by asking for users’ understanding and trust, reaffirming that security and privacy remain Lovense’s top priority. We conclude by emphasizing that even the best cybersecurity programs can have vulnerabilities; however, the implementation of a bug bounty program demonstrates the company’s commitment to the hacker community and its unwavering dedication to the security of its products and customers.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli