Found critical vulns in Lovense (the biggest sex toy company) affecting 11M+ users. They ignored researchers for 2+ years, then fixed in 2 days after public exposure.

What I found:
- Email disclosure via XMPP (username→email)
- Auth bypass (email→account takeover, no password)

History of ignoring researchers:
- 2022: Someone else reports XMPP email leak, ignored
- Sept 2023: Krissy reports account takeover + different email leak via HTTP API, paid only $350
- 2024: Another person reports XMPP email leak AND Account Takeover vuln, offered 2 free sex toys (accepted for the meme)
- March 2025: I report account takeover + XMPP email leak, paid $3000 (after pushing for critical)
- Told me fix for email vuln needs 14 months because "legacy support" > user security (had 1-month fix ready)
- July 28: I go public
- July 30: Both fixed in 48 hours

Same bugs, different treatment. They lied to journalists saying it was fixed in June, tried to get me banned from HackerOne after giving permission to disclose.

News covered it but my blog has the full technical details:
https://bobdahacker.com/blog/lovense-still-leaking-user-emails/

@GossiTheDog okay, so the #ITsec is run by criminally incompetent #MAGA|ts that have no clue that they're ruining #NatSec by refusing to patch shit as long as they can shitpost stale memes and speculate with shitcoins on taxpayers' time.

• In that case, I'd not see that as a hack, but more like natural selection.

Even if I wanted to fix it (and I have no reason to do so given the #Trump-Regime basically displaced everyone I hold dear), I could be glad if they just decided to sue the shit out of me for "hacking", not try to put a bullet in my head or not forcibly disappear me into a black site like Diego Garcia.

• I mean, if there was like a proper #ResponsibleDisclosure channel anywhere you'd propably already used that one. I'm just not gonna do that because the US is hatecriming mutuals of mine and with #TechIlliterate judges that could be convinced that using #nmap to confirm this is "#hacking" I'm too busy getting folks to safety than getting an unwanted home invasion by armed cops traumatizing neighbours.

I received an email earlier this week from EA asking if I wanted to be added to a public acknowledgement page they were creating for individuals who responsibly disclosed vulnerabilities to them.

For all the shit people give EA, of the 100+ companies I contacted in the last two years, they were the only company I would say had a decent incident response.

They fixed the issue within 12 hours after validating it as critical, and proactively provided me multiple updates over time.

When the IR was done on their side, they reached out again with some more information about the potential impact if the issue hadn't been solved quickly, and also offered me a reward.

I did not have to keep chasing anyone for updates, I wasn't asked for non-disclosure, or offered money in exchange for it, and people replied instead of ignoring me.

I wasn't blamed for their mistake, either, or reported to the authorities.

Unfortunately, at least one or multiple of the things mentioned above are present in most of my other incidents reported; it's a real shit show out there.

Critical Sudo Vulnerabilities Let Local Users Gain Root Access on Linux, Impacting Major Distros

https://thehackernews.com/2025/07/critical-sudo-vulnerabilities-let-local.html?m=1

Careful out there folks...

In August 2020, @SchizoDuckie and I published what was to become the first of a series of articles or posts called "No Need to Hack When It's Leaking."

In today's installment, I bring you "No Need to Hack When It's Leaking: Brandt Kettwick Defense Edition." It chronicles efforts by @JayeLTee, @masek, and I to alert a Minnesota law firm to lock down their exposed files, some of which were quite sensitive.

Read the post and see how even the state's Bureau of Criminal Apprehension had trouble getting this law firm to respond appropriately.

https://databreaches.net/2025/07/04/no-need-to-hack-when-its-leaking-brandt-kettwick-defense-edition/

Great thanks to the Minnesota Bureau of Criminal Apprehension for their help on this one, and to @TonyYarusso and @bkoehn for their efforts.

A state forensics lab was leaking its files. Getting it locked down involved a number of people, notably @JayeLTee and @masek , although yours truly was also involved, as were others:

https://databreaches.net/2025/06/22/a-state-forensics-lab-was-leaking-its-files-getting-it-locked-down-involved-a-number-of-people/

#dataleak #responsibledisclosure #infosec #govsec

Related:
https://jltee.substack.com/p/forensic-lab-with-links-to-montana-doj-leaks-phone-extracts

https://blog.literarily-starved.com/2025/06/postmortem-assumed-doj-montana-leak-of-phone-dumps/

Some wild things I found exposed recently that I am actively trying to close down:

1) Criminal Defense firm with archived case files exposed (evidence, discovery, court docs, etc) includes crash reports with dead people - Contacted the Law firm last week and nothing done.

2) Phone extracts for multiple cases that have been on the news, including a case of a cop suicide, sexual abuse cases - Looking at who to notify about this one, being extra careful as the file listing suggests illegal stuff gathered as evidence might be exposed on it.

3) A database backup with a table that includes someone's diary, with a lot of entries about their sexual life.
This backup also includes ~1,500 logins for a police association on other tables and credentials to multiple companies & websites - Contacted higher-ups in the police association for help identifying who is responsible, but so far, no reply.

Just a few more servers to add to the list of dozens of pending cases. Will start escalating contacts until stuff gets fixed.

What's the new / current place for publishing vulnerability reports (as part of responsible disclosure; I already got a CVE ID)?

Last time I published something, BugTraq still was a thing.

Happy Birthday (nachträglich) zu drei Jahren #Datenleck, lieber Tuev Nord

https://lims.tuv-nord.co.th/main_app/.env
https://185.39.106.141/main_app/google-credential.json
https://185.39.106.141/.git/config

inetnum: 185.39.106.0 - 185.39.106.255
netname: DE-TUEVNORD-H-106

Looking for some help, boosts appreciated:

Anyone with a security contact at Disney or ABC Network?

I know Disney has a bug bounty program, but the issue is with a third-party software leaking data from multiple companies.

Found no information as to who owns the software online and would like some help figuring out who to notify.

Immer noch eins meiner liebsten T-Shirts
#ResponsibleDisclosure

How to Report Security Issues in Open Source—Responsibly

Security flaws happen—but how we handle disclosure matters.

In this smart and timely guide, Jacob Kaplan-Moss outlines the three-step process for responsible vulnerability reporting in open source software (OSS):

Report the issue privately to maintainers
Allow a reasonable time frame (up to 3 months) for a fix
If needed, publicly disclose to protect users

Kaplan-Moss also explains how to find contact info, the ethics of disclosure timelines, and tools available to OSS maintainers.

This is must-read content for anyone in security, development, or open source governance.

https://jacobian.org/2025/mar/27/reporting-security-issues-in-oss/

#ResponsibleDisclosure also means to share if you have been diagnosed with an infectious disease while at or after an event or conference, ideally posted in a way that as many possible visitors of said event will notice (e.g. post here with a hashtag of the event, like #FOSDEM). There is no embargo on sharing such a vulnerability ;)

@cirriustech We try not to use the laden term #responsibledisclosure, which puts a burden only on researchers but not the receiving parts. Use #CVD instead :)?

OpenAI and Microsoft show a remarkable disinterest in a reportedly major security flaw in the #ChatGPT API #ResponsibleDisclosure $MSFT
https://informationsecuritybuzz.com/critical-vulnerability-chatgpt-api-reflective-ddos-attacks/

Executive Summary (TL;DR): HackerOne requires SMS, documentation is bad, and support doesn't.

"Please let us know your HackerOne email address", I was asked. Everyone (who matters) knows HackerOne ( @Hacker0x01 ?), so I rush to https://hackerone.com/ to sign up.

Signup was typical, with praiseworthy indication that passwords are limited to the BCrypt hash limit of 72 characters. With email confirmed, the next step was of course to set up 2FA because if we Hackers™ know one thing, it's "2FA good. TOTP good. SMS bad.". On the Account Security page,

Two-factor authentication [ Turn on ]

but that [ Turn on ] button is greyed out. Above is

Account recovery: Disabled [ Set up ]

A bit odd to get recovery codes before setting up TOTP, but seems harmless. I clicked [ Set up ].

Add your phone number

We need to set up a way for you to recover your account in case you lose access to your two-factor
authentication device. We do this by confirming your phone number. We'll send you a numeric code
to this number to verify your account. Message and data rates may apply.

In this year of our Lord twenty twenty-five, that is the only option.

Before bothering anyone, I know to RTFM, so I do. The "Two-Factor Authentication" page described the setup process in full detail with no mention of telephones or short message services. The other (almost identical) "Two-Factor Authentication" page described the same process, but mentions the telephone.

HackerOne uses a (something)Desk platform for support, so I signed up there and opened an issue explaining that I want to use TOTP and don't use SMS, and that there are two pages with instructions of which half are wrong. The automated email acknowledgement arrived promptly.

Early the next day email arrived from H1 Support <support@hackerone.com> with a response I can accurately paraphrase as, "We are sorry to hear that you are incompetent. Please RTFM." with a link to the more accurate of the two pages. Replying to this email, I politely explained that I appreciated the response, but that they seem to have missed both the issue I reported and the documentation problem, then clearly identified each in a more structured fashion.

The reply to my email was almost instant.