Dutch retailers pull Lovense sex toys after privacy breach exposes user emails

Dutch retailers Bol.com and EasyToys have suspended the sale of popular app-controlled sex toys made by Lovense, following the discovery of a serious, unresolved security flaw that exposed users’ names and email addresses—putting Dutch consumers, including webcam performers, at direct risk of identity exposure and remote device takeover, AD reports.

Lovense, a tech company based in Hong Kong with more than 20 million users worldwide, is known for its Bluetooth-enabled sex toys that can be controlled remotely via a smartphone app. In March, an 'ethical hacker' identified a vulnerability in how the app communicates with Lovense servers. The flaw allows malicious actors to retrieve users’ email addresses simply by sending a manipulated request—raising alarm among privacy experts and retailers.

Despite being notified of the issue in March, Lovense has reportedly failed to fully resolve it. Earlier this week, the company was again contacted with questions, but declined to offer specific answers. The app has since received an update to address “the most recent vulnerabilities,” but the update is reportedly not yet available to all users.

Bol.com and EasyToys confirmed to the press that they were made aware of the breach this week. Both companies immediately suspended the sale of Lovense products. EQOM, the Dutch distributor of the brand, has launched an internal investigation.

“We take this situation extremely seriously,” an EQOM spokesperson said. “If it becomes clear that Lovense users are at risk, we will issue appropriate warnings and actively inform customers.”

EasyToys, which has seen a spike in sex toy sales since the COVID-19 pandemic, contacted Lovense directly for clarification. Based on the company's limited initial response, EasyToys decided to remove the products as a precaution. “If we do not receive clear confirmation soon that the problems are resolved, we will post a warning on our website,” a spokesperson said.

Bol.com echoed the concern. “We are consulting with relevant authorities, including the Dutch Food and Consumer Product Safety Authority (NVWA),” a company spokesperson said.

The vulnerability lies in the app's mute function. When a user mutes another person in the Lovense app, the system may inadvertently reveal that user’s email address. Researcher BobDaHacker demonstrated to AD that by sending a manipulated server request, he could convert any username into a corresponding email address in seconds.

This creates serious risks, particularly for Dutch webcam models and consumers who use pseudonyms to protect their identities. If their email addresses are exposed, their real identities could potentially be uncovered.

“I think it’s strange that they don’t mention this at all in the app. That’s not okay,” Rachel, an OnlyFans model based in the Netherlands who promotes Lovense devices, told AD. Another model, StephanieDutchie, said she uses the Lovense Lush but was unaware of the flaw. “I didn’t know anything about this,” she told the newspaper.

Even more alarmingly, the flaw could allow outsiders to hijack a user’s Lovense account by stealing authentication tokens. This could enable full remote control of the connected sex toys. No such cases have been reported yet, but experts warn that the potential alone is dangerous.

“This is a serious violation of physical integrity,” Steven Derks, board member of Dutch privacy watchdog Privacy First, told AD. “This is not a trivial flaw. These devices are used in an intimate context and often by people who operate under a pseudonym, such as cam models.”

Privacy First strongly criticized Lovense for taking months to address the issue. “That the company was informed in March and only released a patch at the end of July is outrageous,” Derks told AD. “It shows that Lovense did not treat user safety as a priority and failed to comply with the principles of privacy-by-design.”

The organization warned that large numbers of users may have been exposed, particularly in online communities and public forums where usernames are frequently shared. “This is not abstract data. This is access to devices that directly affect a person’s body,” Derks added.

“Delaying a fix under the pretense of legacy system support is unacceptable,” he told AD. “A responsible company immediately patches critical vulnerabilities and communicates that clearly to users. That’s not just ethical—it’s likely a legal requirement under the General Data Protection Regulation (GDPR). In this case, commercial convenience seems to have outweighed user protection.”

Cybersecurity firm ESET Nederland previously reviewed Lovense products and reported inadequate security. One example: the We-Vibe Jive vibrator was detectable via Bluetooth from up to eight meters away.

ESET CEO Dave Maasland emphasized that the company’s response to the breach matters even more than the bug itself. “With such intimate products, every sign of negligence must be avoided. Users must be able to fully trust that their privacy and safety are protected at the highest level,” Maasland told AD.

Lovense declined to respond in detail to direct questions from AD. The company issued a vague statement saying it is “conducting a thorough internal investigation” and asked for patience.

In a separate statement to TechCrunch, Lovense claimed to have rolled out an update addressing “the most recent vulnerabilities,” but added that “some recent media coverage may contain misunderstandings.” When asked to clarify this statement, the company offered no further response.