Found critical vulns in Lovense (the biggest sex toy company) affecting 11M+ users. They ignored researchers for 2+ years, then fixed in 2 days after public exposure.

What I found:
- Email disclosure via XMPP (username→email)
- Auth bypass (email→account takeover, no password)

History of ignoring researchers:
- 2022: Someone else reports XMPP email leak, ignored
- Sept 2023: Krissy reports account takeover + different email leak via HTTP API, paid only $350
- 2024: Another person reports XMPP email leak AND Account Takeover vuln, offered 2 free sex toys (accepted for the meme)
- March 2025: I report account takeover + XMPP email leak, paid $3000 (after pushing for critical)
- Told me fix for email vuln needs 14 months because "legacy support" > user security (had 1-month fix ready)
- July 28: I go public
- July 30: Both fixed in 48 hours

Same bugs, different treatment. They lied to journalists saying it was fixed in June, tried to get me banned from HackerOne after giving permission to disclose.

News covered it but my blog has the full technical details:
https://bobdahacker.com/blog/lovense-still-leaking-user-emails/

I received an email earlier this week from EA asking if I wanted to be added to a public acknowledgement page they were creating for individuals who responsibly disclosed vulnerabilities to them.

For all the shit people give EA, of the 100+ companies I contacted in the last two years, they were the only company I would say had a decent incident response.

They fixed the issue within 12 hours after validating it as critical, and proactively provided me multiple updates over time.

When the IR was done on their side, they reached out again with some more information about the potential impact if the issue hadn't been solved quickly, and also offered me a reward.

I did not have to keep chasing anyone for updates, I wasn't asked for non-disclosure, or offered money in exchange for it, and people replied instead of ignoring me.

I wasn't blamed for their mistake, either, or reported to the authorities.

Unfortunately, at least one or multiple of the things mentioned above are present in most of my other incidents reported; it's a real shit show out there.

In August 2020, @SchizoDuckie and I published what was to become the first of a series of articles or posts called "No Need to Hack When It's Leaking."

In today's installment, I bring you "No Need to Hack When It's Leaking: Brandt Kettwick Defense Edition." It chronicles efforts by @JayeLTee, @masek, and I to alert a Minnesota law firm to lock down their exposed files, some of which were quite sensitive.

Read the post and see how even the state's Bureau of Criminal Apprehension had trouble getting this law firm to respond appropriately.

https://databreaches.net/2025/07/04/no-need-to-hack-when-its-leaking-brandt-kettwick-defense-edition/

Great thanks to the Minnesota Bureau of Criminal Apprehension for their help on this one, and to @TonyYarusso and @bkoehn for their efforts.

A state forensics lab was leaking its files. Getting it locked down involved a number of people, notably @JayeLTee and @masek , although yours truly was also involved, as were others:

https://databreaches.net/2025/06/22/a-state-forensics-lab-was-leaking-its-files-getting-it-locked-down-involved-a-number-of-people/

#dataleak #responsibledisclosure #infosec #govsec

Related:
https://jltee.substack.com/p/forensic-lab-with-links-to-montana-doj-leaks-phone-extracts

https://blog.literarily-starved.com/2025/06/postmortem-assumed-doj-montana-leak-of-phone-dumps/

Happy Birthday (nachträglich) zu drei Jahren #Datenleck, lieber Tuev Nord

https://lims.tuv-nord.co.th/main_app/.env
https://185.39.106.141/main_app/google-credential.json
https://185.39.106.141/.git/config

inetnum: 185.39.106.0 - 185.39.106.255
netname: DE-TUEVNORD-H-106

Looking for some help, boosts appreciated:

Anyone with a security contact at Disney or ABC Network?

I know Disney has a bug bounty program, but the issue is with a third-party software leaking data from multiple companies.

Found no information as to who owns the software online and would like some help figuring out who to notify.

Immer noch eins meiner liebsten T-Shirts
#ResponsibleDisclosure

If you haven't read this post by @gcluley about a proposed Turkish law and you are a researcher or journalist reporting on breaches, read it:

New Law Could Mean Prison for Reporting Data Leaks:
https://www.tripwire.com/state-of-security/new-law-could-mean-prison-reporting-data-leaks

It's particularly frustrating when the big tech firms don't respond appropriately to alerts.

@JayeLTee tells me he reported a server with 2.1B infostealer records hosted on Microsoft servers to https://cert.microsoft[.]com -- which is the URL listed in the WHOIS to report illegal content. His case came back within an hour as closed but they didn't do anything! He's trying abuse@microsoft[.]com now.

Anyone at #Microsoft reading this: c'mon folks, respond appropriately to notifications like this.

"Italy, exposed database puts dental clinic patients’ data at risk: "
https://www.suspectfile.com/italy-exposed-database-puts-dental-clinic-patients-data-at-risk/

@amvinfe followed up on some findings by @chum1ng0 and they tried to get two entities to lock down exposed data that includes personal information.

Despite repeated notifications, the data are still not locked down, it seems.

A company appears to be abusing #BugCrowd’s #bugbounty program to hide essential details of a critical vulnerability. The company itself has rated the vulnerability as low severity. This has led many to disregard the vulnerability, which may have resulted in unpatched systems that remain vulnerable.

"I would like to remind you that as a researcher using the BugCrowd platform to submit this issue you are bound by the BugCrowd standard disclosure terms and you may not blog or disclose any information on the exploitation of this vulnerability."

I were to follow these rules, it would mean that countless of client systems could remain vulnerable to this critical vulnerability.

I’ve mostly had good experiences with bug bounty programs before this incident. Sure, I’ve had some disagreements at times, but I’ve never seen a program being abused like this before.

A young researcher is seeking ethical advice on a responsible disclosure issue. Perhaps some people here could share their views on this issue:

https://infosec.exchange/@JayeLTee/112808553288126788

CFTC Awards Over $8 Million to Insider Whistleblower Who Aided CFTC and Other Agency Actions - Commodity Futures Trading Commission

Whistleblowers are eligible to receive between 10 and 30 percent of the monetary sanctions collected. All whistleblower awards are paid from the ...

https://www.cftc.gov/PressRoom/PressReleases/8922-24

Boeing CEO Dave Calhoun knew about whistleblower retaliation - Quartz

Dave Calhoun told U.S. senators this week that the company always listens to whistleblowers, but that he hadn't personally done so.

https://qz.com/boeing-ceo-dave-calhoun-whistleblower-retaliation-1851550982

Texas doctor charged with obtaining confidential patient information on transgender care - CBS

Haim, who calls himself a whistleblower on transgender care for minors, was indicted on federal charges of illegally obtaining private information ...

https://www.cbsnews.com/news/texas-doctor-charged-with-obtaining-confidential-patient-information-on-transgender-care/