Lovense, the maker of internet-connected sex toys, left user emails exposed for months — even after it became aware of the vulnerability. Lovense is behind a range of sex toys that users can connect to the internet and remotely control via its app, which came under fire for a “minor bug” in 2017 that recorded users’ sex sessions. As outlined in BobDaHacker’s post, the security researcher noticed something strange in the app’s API response when muting someone: it presented their email address. BobDaHacker even developed a script that they say can convert someone’s username into an email address in less than a second. However, the security researcher says Lovense didn’t immediately fix the issue.