Found critical vulns in Lovense (the biggest sex toy company) affecting 11M+ users. They ignored researchers for 2+ years, then fixed in 2 days after public exposure.

What I found:
- Email disclosure via XMPP (username→email)
- Auth bypass (email→account takeover, no password)

History of ignoring researchers:
- 2022: Someone else reports XMPP email leak, ignored
- Sept 2023: Krissy reports account takeover + different email leak via HTTP API, paid only $350
- 2024: Another person reports XMPP email leak AND Account Takeover vuln, offered 2 free sex toys (accepted for the meme)
- March 2025: I report account takeover + XMPP email leak, paid $3000 (after pushing for critical)
- Told me fix for email vuln needs 14 months because "legacy support" > user security (had 1-month fix ready)
- July 28: I go public
- July 30: Both fixed in 48 hours

Same bugs, different treatment. They lied to journalists saying it was fixed in June, tried to get me banned from HackerOne after giving permission to disclose.

News covered it but my blog has the full technical details:
https://bobdahacker.com/blog/lovense-still-leaking-user-emails/

I received an email earlier this week from EA asking if I wanted to be added to a public acknowledgement page they were creating for individuals who responsibly disclosed vulnerabilities to them.

For all the shit people give EA, of the 100+ companies I contacted in the last two years, they were the only company I would say had a decent incident response.

They fixed the issue within 12 hours after validating it as critical, and proactively provided me multiple updates over time.

When the IR was done on their side, they reached out again with some more information about the potential impact if the issue hadn't been solved quickly, and also offered me a reward.

I did not have to keep chasing anyone for updates, I wasn't asked for non-disclosure, or offered money in exchange for it, and people replied instead of ignoring me.

I wasn't blamed for their mistake, either, or reported to the authorities.

Unfortunately, at least one or multiple of the things mentioned above are present in most of my other incidents reported; it's a real shit show out there.

Kantorkel ist Forscher und Wächter unserer digitalen Sicherheit und Mitgleid im CCC. Er deckte auf, dass gebrauchte US‑Militärgeräte Biometriedaten enthielten. In seinen Beiträgen zeigt er, wie man Sicherheits­lücken verantwortungsbewusst meldet. Wer echten Datenschutz will, wer weiß, wie Technik uns schützt oder gefährdet, sollte ihm folgen. Jeder Post stärkt unsere digitale Freiheit und schützt unsere Rechte. Folge @kantorkel! #CCC #Datenschutz #Sicherheit #ResponsibleDisclosure

In August 2020, @SchizoDuckie and I published what was to become the first of a series of articles or posts called "No Need to Hack When It's Leaking."

In today's installment, I bring you "No Need to Hack When It's Leaking: Brandt Kettwick Defense Edition." It chronicles efforts by @JayeLTee, @masek, and I to alert a Minnesota law firm to lock down their exposed files, some of which were quite sensitive.

Read the post and see how even the state's Bureau of Criminal Apprehension had trouble getting this law firm to respond appropriately.

https://databreaches.net/2025/07/04/no-need-to-hack-when-its-leaking-brandt-kettwick-defense-edition/

Great thanks to the Minnesota Bureau of Criminal Apprehension for their help on this one, and to @TonyYarusso and @bkoehn for their efforts.

A state forensics lab was leaking its files. Getting it locked down involved a number of people, notably @JayeLTee and @masek , although yours truly was also involved, as were others:

https://databreaches.net/2025/06/22/a-state-forensics-lab-was-leaking-its-files-getting-it-locked-down-involved-a-number-of-people/

#dataleak #responsibledisclosure #infosec #govsec

Related:
https://jltee.substack.com/p/forensic-lab-with-links-to-montana-doj-leaks-phone-extracts

https://blog.literarily-starved.com/2025/06/postmortem-assumed-doj-montana-leak-of-phone-dumps/

Some wild things I found exposed recently that I am actively trying to close down:

1) Criminal Defense firm with archived case files exposed (evidence, discovery, court docs, etc) includes crash reports with dead people - Contacted the Law firm last week and nothing done.

2) Phone extracts for multiple cases that have been on the news, including a case of a cop suicide, sexual abuse cases - Looking at who to notify about this one, being extra careful as the file listing suggests illegal stuff gathered as evidence might be exposed on it.

3) A database backup with a table that includes someone's diary, with a lot of entries about their sexual life.
This backup also includes ~1,500 logins for a police association on other tables and credentials to multiple companies & websites - Contacted higher-ups in the police association for help identifying who is responsible, but so far, no reply.

Just a few more servers to add to the list of dozens of pending cases. Will start escalating contacts until stuff gets fixed.

What's the new / current place for publishing vulnerability reports (as part of responsible disclosure; I already got a CVE ID)?

Last time I published something, BugTraq still was a thing.

Happy Birthday (nachträglich) zu drei Jahren #Datenleck, lieber Tuev Nord

https://lims.tuv-nord.co.th/main_app/.env
https://185.39.106.141/main_app/google-credential.json
https://185.39.106.141/.git/config

inetnum: 185.39.106.0 - 185.39.106.255
netname: DE-TUEVNORD-H-106

Looking for some help, boosts appreciated:

Anyone with a security contact at Disney or ABC Network?

I know Disney has a bug bounty program, but the issue is with a third-party software leaking data from multiple companies.

Found no information as to who owns the software online and would like some help figuring out who to notify.

Immer noch eins meiner liebsten T-Shirts
#ResponsibleDisclosure

#ResponsibleDisclosure also means to share if you have been diagnosed with an infectious disease while at or after an event or conference, ideally posted in a way that as many possible visitors of said event will notice (e.g. post here with a hashtag of the event, like #FOSDEM). There is no embargo on sharing such a vulnerability ;)

If you haven't read this post by @gcluley about a proposed Turkish law and you are a researcher or journalist reporting on breaches, read it:

New Law Could Mean Prison for Reporting Data Leaks:
https://www.tripwire.com/state-of-security/new-law-could-mean-prison-reporting-data-leaks

FTR. I still believe in #ResponsibleDisclosure with a 90 day limit after the first acknowledged receipt. If the company/government/organisation won't move 90 days after they've acknowledged receiving your info, you should be free to go public. But going 0day is a different story.

Don’t be a #zendesk

#responsibledisclosure
#bounty
#bug
#outofscope

https://gist.github.com/hackermondev/68ec8ed145fcee49d2f5e2b9d2cf2e52