Lovense, the maker of internet-connected sex toys, left user emails exposed for months — even after it became aware of the vulnerability. In a blog post spotted by TechCrunch and Bleeping Computer, security researcher BobDaHacker found that they could “turn any username into their email address,” which they could then use to take over someone’s account.

Though BobDaHacker initially disclosed this vulnerability to Lovense in March, the researcher claims Lovense waited months before fixing it, and still hasn’t fully addressed the issue. Lovense is behind a range of sex toys that users can connect to the internet and remotely control via its app, which came under fire for a “minor bug” in 2017 that recorded users’ sex sessions.

As outlined in BobDaHacker’s post, the security researcher noticed something strange in the app’s API response when muting someone: it presented their email address. BobDaHacker then figured out that they could take advantage of this vulnerability by sending a modified request to Lovense’s servers, tricking it into returning the target user’s email address. 

BobDaHacker even developed a script that they say can convert someone’s username into an email address in less than a second. “This is especially bad for cam models who share their usernames publicly but obviously don’t want their personal emails exposed,” BobDaHacker writes. To make matters worse, BobDaHacker later discovered that they could take over a user’s account with their email address and an authentication token generated by Lovense. 

BobDaHacker initially reported these vulnerabilities in partnership with the Internet of Dongs, a group that aims to make internet-connected sex toys more secure. However, the security researcher says Lovense didn’t immediately fix the issue. Instead, Lovense claimed that the account takeover bug was fixed in April, even though BobDaHacker said it wasn’t, and that a fix for the email leak issue would take 14 months to roll out.

“We also evaluated a faster, one-month fix. However, it would require forcing all users to upgrade immediately, which would disrupt support for legacy versions,” Lovense said, according to BobDaHacker. As noted by BobDaHacker, security researchers reported the same account takeover bug to Lovense in 2023, but the company appears to have closed the bug without actually fixing it.

In a statement to Bleeping Computer, Lovense says it has submitted an app update “addressing the latest vulnerabilities” to app stores. “The full update is expected to be pushed to all users within the next week,” Lovense says. “Once all users have updated to the new version and we disable older versions, this issue will be completely resolved.” Lovense didn’t immediately respond to The Verge’s request for comment.