Stay Turned: This Impacts Your Accounting or Tax Firm
Adult sex toy company, Lovense, has had a vulnerability exposed in their popular app, used by over 20 million individuals. This vulnerability exposes the users’ e-mail addresses; these addresses can be used for harassment, blackmail, or doxxing (a term used to describe shaming or embarrassing somebody online). Lovense was founded by Chinese company, Hytto Ltd, and is now based out of Singapore.
Security researchers uncovered a critical zero-day vulnerability in the Lovense’s app that allows anyone to expose a user’s private email address—simply by knowing their username. The flaw leverages Lovense’s XMPP chat system.
Additionally, a second issue allows attackers to create active authentication tokens for any user without needing their password by exploiting these same APIs. This enables full account takeovers including access to historical information.
The flaws were initially disclosed to Lovense on March 26, 2025, by the researcher "BobDaHacker," in collaboration with other researchers. Despite Lovense claiming it would take 14 months to implement full fixes to avoid disruption of service to existing users, the researcher went public due to delays, well beyond the typical three-month disclosure grace period for critical bugs.
If you use Lovense devices or services: immediately change passwords, enable any available security measures, and monitor your account activity. Cam models, OnlyFans Streaming, or public users should consider extreme caution as they are particularly exposed.
The Impact of Data Collection and Privacy
While exposing somebody’s e-mail may seem minimal, it is important to note that many of these companies have notoriously been accused and sued of data privacy. Particularly in the cases of Lovense and We-Vibe, users have accused and filed suit over each company’s mishandling of user data, including tracking users usage data and historical preferences. Most lawsuits were settled privately.
The Real Danger in Data Collection
Many people will focus on the lack of integrity within many organizations or the reduced focus many companies place on data security. Both of these are extremely true and necessary concerns. The data they hold AND the data we hold in financial services is critical and, ultimately, can destroy somebody’s life or livelihood if exposed. Heck, look at the chaos over the recent Coldplay Kiss Cam exposure where there is already a lawsuit claiming invasion of privacy.
The real message that few people will talk about in these scenarios is the misuse and mis-collection of data. I will be the first to say there is a fine line here as to what data is crucial and what data can be used for other means, particularly data mining and marketing. The Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule requires a Privacy Policy and Data Disclosure Statement for all uses of data as well as for data that is collected, particularly in connection to non-essential tasks.
From experience, very few tax professionals and accountants have a sufficient privacy policy, data disclosure, or engagement letter to manage these needs. Many reduce these documents making them easy to read or understand by clients. This is a huge mistake and this minimization typically invalidates these documents.
An excellent scenario we see here is the usage of client data in analytics or AI. While many firms claim their usage of this data to improve tax planning or increase automation efforts, it is a heightened risk of exposure. More so, without the proper documentation in place, a firm could be sued for BOTH a data breach as well as unauthorized use of data.
A firm should invest heavily in the expertise of both a lawyer and security specialist before moving forward with any of this technology.
Imagine the embarrassment a lovense user would feel if all of their usage was exposed. Now imagine that same embarrassment if a client’s financial information is exposed. You have the capability to stop at least one of those.
If you do not fully understand an issues or if you need assistance working through a resolution, the team here at Financial Guardians is available for Individual Support Calls to assist with any individual or specific matters.
Financial Guardians is a proud member of InCite, the recently launched online community exclusively for tax professionals, bookkeepers, and accountants. InCite members receive a 30% discount.
Financial Guardians has partnered with the California Society of Tax Consultants to provide a 30% access discount as well as many other offers. More info can be found at www.cstcsociety.org
