Lovense, a maker of internet-connected sex toys, has confirmed it fixed a pair of security vulnerabilities that exposed users’ private email addresses and allowed attackers to remotely take over any user’s account. While the company stated the bugs were “fully resolved,” its CEO is now considering legal action following the disclosure.
In a statement, Lovense CEO Dan Liu said the company was “investigating the possibility of legal action” in response to allegedly erroneous reports about the bug. When asked for clarification on whether this referred to media reports or a security researcher’s disclosure, the company did not respond.
Details of the vulnerabilities emerged after a security researcher, using the handle BobDaHacker, disclosed they had reported the two security flaws to Lovense earlier this year. The researcher published their findings after the company claimed it would take 14 months to fully address the issues rather than implementing a faster, one-month fix that would have required users to update their apps.
Lovense stated that the fixes now in place will require users to update their apps before they can resume using all features. CEO Liu claimed there is “no evidence suggesting that any user data, including email addresses or account information, has been compromised or misused.” However, it remains unclear how Lovense reached this conclusion, given that TechCrunch and other outlets verified the email disclosure bug by creating a new account and confirming the researcher could identify the associated email address.
When asked what technical measures, such as logs, Lovense used to determine if user data was compromised, the company did not respond.
Legal threats to block disclosures of security incidents are not uncommon, despite few restrictions in the U.S. prohibiting such reporting. Earlier this year, a U.S. journalist resisted a legal threat from a U.K. court injunction for accurately reporting a ransomware attack on healthcare giant HCRG. In 2023, a Florida county official threatened criminal charges against a security researcher under state hacking laws for privately disclosing a flaw in the county’s court records system that exposed sensitive filings.