Lovense, the maker of internet-connected adult devices, says it has fixed two security bugs that could have allowed hackers to hijack user accounts or reveal private email addresses, and it is not happy about how the news came out. After patching the vulnerabilities, Lovense CEO Dan Liu is now hinting at legal action. But not against the hackers, against whoever talked about the hack.
In a statement shared with TechCrunch, Liu said the company is “investigating the possibility of legal action,” though didn’t clarify whether it’s targeting journalists or the researcher who exposed the bugs. (Because nothing says “this is fine” like threatening people for reporting on your security flaws.)
A security researcher going by the name BobDaHacker says they reported the bugs to Lovense months ago. But when the company allegedly suggested a 14-month timeline to fix the problem, instead of a quicker, one-month patch that would’ve meant alerting users, the researcher went public.
So, what could those bugs do?
- Bug #1: Reveal private email addresses tied to Lovense accounts.
- Bug #2: Let an attacker remotely take over someone’s account. You know… the one controlling a WiFi sex toy.
Related: Proton Launches New App for two-factor authentication
You do not need to imagine the implications too hard. Lovense says the issues are now resolved, and users will need to update the app before they can continue enjoying all its features. The company also insists there is “no evidence” any user data was misused, though it has not explained how it can be sure of that. When asked whether logs or monitoring tools were used to detect abuse, the company… didn’t answer.
And that is where things get awkward. Rather than leaning into transparency, Lovense’s next move appears to be lawyering up. According to the statement, the company believes some coverage of the vulnerability is misleading, and it is looking into legal options.
This would not be the first time a company has tried to squash uncomfortable truths through legal threats. Earlier this year, a journalist in the U.S. resisted a court order over a ransomware report. And in 2023, a Florida official even tried to press criminal charges against a researcher who quietly disclosed a court records security flaw. Fixing the code is one thing. Fixing the PR? That is a whole different matter.
The question is not just whether your connected vibrator is secure; it is whether you will get sued for saying it was not. In the world of smart devices, being right about a bug might land you in court faster than the hacker who found it.
