Lovense Data Breach & Legal Threats - Security Flaws Exposed

Lovense Addresses Security Vulnerabilities in Internet-Connected Toys

Lovense, a company specializing in internet-connected sex toys, has confirmed the resolution of two security flaws. These vulnerabilities potentially exposed users' private email addresses and permitted unauthorized remote account access.

Bug Fixes and Potential Legal Action

Despite the company stating the issues are “fully resolved,” its CEO is contemplating legal recourse following the disclosure of these vulnerabilities. Dan Liu, CEO of Lovense, indicated they are “investigating the possibility of legal action” in response to reports concerning the bug.

When questioned by TechCrunch regarding the specifics of this potential legal action, the company refrained from clarifying whether it pertained to media coverage or the security researcher’s initial disclosure.

Researcher Disclosure and Company Response

The details of these security issues surfaced this week after a security researcher, known as BobDaHacker, revealed having reported the two vulnerabilities to Lovense earlier in the year.

The researcher chose to publicize their findings after Lovense communicated a proposed 14-month timeline for complete remediation. This contrasted with a “faster, one-month fix” that would have necessitated informing users to update their applications.

App Updates Required

According to a statement from Lovense, attributed to Liu, the implemented fixes necessitate users updating their apps to regain full functionality.

Liu asserted that there is “no evidence suggesting that any user data, including email addresses or account information, has been compromised or misused.” However, the basis for this conclusion remains unclear.

TechCrunch, along with other news sources, independently verified the email disclosure vulnerability by creating a new account and requesting the researcher to identify the corresponding email address.

Lack of Transparency

TechCrunch inquired about the technical methods, such as logs, used by Lovense to ascertain whether user data had been compromised. A company spokesperson did not provide a response.

Legal Tactics and Security Disclosure

It is not uncommon for organizations to employ legal demands and threats to impede the disclosure of security incidents, despite limited legal restrictions in the U.S. governing such reporting.

Recent Examples of Legal Threats

Earlier this year, a U.S. journalist successfully resisted a legal threat stemming from a U.K. court injunction. This occurred after accurately reporting a ransomware attack targeting HCRG, a major U.K. private healthcare provider.

In 2023, a county official in Hillsborough County, Florida, threatened criminal charges against a security researcher. This threat was based on the state’s computer hacking laws, triggered by the researcher’s identification and private disclosure of a security flaw in the county’s court records system, which exposed sensitive filings.

These instances highlight a growing trend of organizations attempting to suppress information regarding security vulnerabilities through legal means.