BobDaHacker<p>Found critical vulns in Lovense (the biggest sex toy company) affecting 11M+ users. They ignored researchers for 2+ years, then fixed in 2 days after public exposure. 🤦</p><p>What I found:<br>- Email disclosure via XMPP (username→email)<br>- Auth bypass (email→account takeover, no password)</p><p>History of ignoring researchers:<br>- 2022: Someone else reports XMPP email leak, ignored<br>- Sept 2023: Krissy reports account takeover + different email leak via HTTP API, paid only $350<br>- 2024: Another person reports XMPP email leak AND Account Takeover vuln, offered 2 free sex toys (accepted for the meme)<br>- March 2025: I report account takeover + XMPP email leak, paid $3000 (after pushing for critical)<br>- Told me fix for email vuln needs 14 months because "legacy support" > user security (had 1-month fix ready)<br>- July 28: I go public<br>- July 30: Both fixed in 48 hours</p><p>Same bugs, different treatment. They lied to journalists saying it was fixed in June, tried to get me banned from HackerOne after giving permission to disclose.</p><p>News covered it but my blog has the full technical details:<br><a href="https://bobdahacker.com/blog/lovense-still-leaking-user-emails/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">bobdahacker.com/blog/lovense-s</span><span class="invisible">till-leaking-user-emails/</span></a></p><p><a href="https://infosec.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfoSec</span></a> <a href="https://infosec.exchange/tags/BugBounty" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BugBounty</span></a> <a href="https://infosec.exchange/tags/ResponsibleDisclosure" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ResponsibleDisclosure</span></a> <a href="https://infosec.exchange/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Security</span></a> <a href="https://infosec.exchange/tags/Vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Vulnerability</span></a> <a href="https://infosec.exchange/tags/IoT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IoT</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a></p>