Lovense, a maker of internet-connected intercourse toys, has confirmed it has mounted a pair of security vulnerabilities that uncovered customers’ non-public e-mail addresses and allowed attackers to remotely take over any consumer’s account.
Whereas the corporate stated the bugs have been “totally resolved,” its chief govt is now contemplating taking authorized motion following the disclosure.
In an announcement shared with information.killnetswitch, Lovense CEO Dan Liu stated the intercourse toy maker was “investigating the potential of authorized motion” in response to allegedly inaccurate reviews concerning the bug. When requested by information.killnetswitch, the corporate didn’t reply to make clear whether or not it was referring to media reviews or a security researcher’s disclosure.
Particulars of the bug emerged this week after a security researcher, who goes by the deal with BobDaHacker, disclosed that they reported the 2 security bugs to the intercourse toy maker earlier this 12 months. The researcher revealed their findings after Lovense claimed it could take 14 months to totally tackle the vulnerabilities fairly than making use of a “sooner, one-month repair” that will have required alerting customers to replace their apps.
Lovense stated in its assertion, attributed to Liu, that the fixes put in place would require customers to replace their apps earlier than they will resume utilizing all the app’s options.
Within the assertion, Liu claimed that there’s “no proof suggesting that any consumer knowledge, together with e-mail addresses or account data, has been compromised or misused.” It’s not clear how Lovense got here to this conclusion, given information.killnetswitch (and different shops) verified the e-mail disclosure bug by organising a brand new account and asking the researcher to establish the related e-mail tackle.
information.killnetswitch requested Lovense what technical means, akin to logs, the corporate has to find out if there was any compromise of customers’ knowledge, however a spokesperson didn’t reply.
It’s not exceptional for organizations to resort to authorized calls for and threats to attempt to block the disclosure of embarrassing security incidents, regardless of few guidelines or restrictions within the U.S. prohibiting such reporting.
Earlier this 12 months, a U.S. impartial journalist rebuffed a authorized menace from a U.Ok. courtroom injunction for precisely reporting a ransomware assault on U.Ok. non-public healthcare large HCRG. In 2023, a county official in Hillsborough County, Florida, threatened prison costs towards a security researcher below the state’s pc hacking legal guidelines for figuring out and privately disclosing a security flaw within the county’s courtroom data system that uncovered entry to delicate filings.
