Got an internet-enabled chastity device? Check your online security now.

If you’re into chastity play, you might own an internet-enabled chastity device designed to share your kink with your partner. And you also might want to change your password.

TechCrunch reports that several flaws in an unnamed smart sex toy manufacturer’s servers have exposed over 10,000 of its users’ personal data, including information which can be used to identify them. This includes email addresses, plaintext passwords, home addresses, IP addresses, PayPal logs, and even GPS coordinates.

Unfortunately, there’s no quick and easy way of knowing whether you’ve been impacted. The company has not been publicly identified in order to protect its customers, as the vulnerability has not yet been fixed.

However, TechCrunch has confirmed that the company makes chastity devices for penises, which can be controlled by a partner using an Android app and an internet connection. Said partner can also track the person wearing the device via GPS. 

Chastity devices, such as harnesses, cages, and straps, form part of chastity play, a kink which involves one partner using a device to prevent themselves from becoming fully aroused. The idea is that once the person is freed from the device, they’ll be able to unleash their full desire.

If you own an internet-enabled chastity device, it might be time for an internet security checkup — and perhaps some consideration to the idea of deleting any unused accounts. Even if you do change your sex toy’s password, your new one could be just as exposed if the server flaw isn’t addressed.

And if you indulge in the cardinal security sin of reusing passwords, you should definitely change any that share the same one as your chastity device.

According to the publisher, the vulnerability was first detected by an anonymous security researcher, who told TechCrunch they reached out to notify the sex toy company on July 17. Then, when they did not receive any response, the researcher reportedly vandalised the company’s website to leave a warning to users on Aug. 23.

“[COMPANY] has left the site wide open, allowing any script kiddie to grab any and all customer information,” the researcher wrote on the homepage. “This includes plaintext passwords and contrary to what [COMPANY] has claimed, also shipping addresses… If you have paid for a physical unit and now cannot use it, I’m sorry. But there are thousands of people with accounts on here and I could not in good faith leave everything up for grabs.”

The message was removed within a day, but the servers’ security flaws still remain.

While smart sex toys offer novel possibilities for sexual escapades, they also carry the risk of making security breaches even more distressing than they already are. In 2020, a vulnerability found in the Cellmate penis chastity device made it possible for hackers to lock all devices simultaneously. If it had been exploited, the lack of a manual override meant trapped penises may have had to be cut free using power tools.

The Cellmate chastity devices were reportedly later hacked in 2021, with attackers demanding 0.02 Bitcoin to free users’ genitals — the equivalent of $750 at the time. There are no reports of users losing access to their penis, as the victims who spoke to Vice were not wearing the Cellmate at the time. But then again, some impacted people may not have been too keen to step forward. Cellmate manufacturer QIUI has categorically denied all reports of any hacks.

It’s unlikely that QIUI is the mystery company at the centre of this latest smart sex toy scare, as TechCrunch noted that the impacted device only has an Android app. CAG.INK, the rebranded Cellmate, has both Android and iOS apps.

Even so, it’s a good opportunity to check your security settings, change your passwords, and delete unused accounts regardless of the specific device you’re using. And maybe consider exploring some lower-tech toys.