Hi HN, I'm the researcher who found these vulnerabilities. Happy to answer questions.

A few clarifications on the technical side:

The XMPP issue wasn't just about JIDs containing emails - it was that their roster sync actively linked internal IDs to real email JIDs. Even their "v2" endpoints that tried to hide emails were useless because the XMPP layer still exposed everything.

Regarding the "14 months to fix" claim - they actually had the fix ready (they admitted they could do it in 1 month) but chose not to deploy it for "legacy support." The fix they implemented after public pressure was exactly what I suggested months ago: just use the internal IDs they already had.

The most frustrating part was discovering other researchers reported these exact bugs in 2022 and 2023. Lovense told them it was "fixed" while paying them peanuts ($350 vs the $3000 they paid me for the same bugs).

Also, to address the over-engineering comment by chmod775 - you're spot on. They had internal user IDs (ofId) the whole time but maintained this complex dual system. The "architectural complexity" was self-inflicted.