A popular AI-powered Android app available on the Google Play Store has exposed massive amounts of sensitive user data, totalling more than 12TB and containing millions of personal files, due to critical security misconfigurations, revealed cybersecurity researchers.
The breach, which was originally uncovered by Cybernews researchers, affected users across more than 25 countries, including the United States, Germany, France, China, and Brazil. The exposed information includes personal photos, videos, AI-generated media, and highly sensitive Know Your Customer (KYC) documents such as identity proofs, addresses, phone numbers, and other personally identifiable information, creating what experts describe as a “treasure trove” ripe for identity theft, fraud, and other cybercrimes.
AI app leak data: Here is what was exposed
The primary app attacked is Video AI Art Generator & Maker, developed by Codeway. Launched on June 13, 2023, it had collected over 500,000 installations and more than 11,000 reviews before the issue surfaced. Researchers found that a misconfigured Google Cloud Storage bucket allowed unauthenticated public access to user-uploaded content, leaking:
– More than 1.5 million user images.
– Over 385,000 videos
– Millions of AI-generated files
In total, 8.27 million files accumulated since launch were left exposed, amounting to over 12TB of data.
Leak caused due to misconfigurations, hardcoded secrets
The exposures emerged from two common yet dangerous practices:
Misconfigured cloud storage: Google Cloud buckets were set to allow public access without authentication.
Hardcoded secrets: Sensitive credentials (API keys, database access) embedded directly in app code, making them easily harvestable. Cybernews’ analysis of Android AI apps showed 72% contained at least one hardcoded secret, averaging 5.1 per app, with many tied to Google Cloud infrastructure.
Developer swung into action
Following disclosure:
– Codeway secured the affected buckets by February 3.
– The ‘Video AI Art Generator & Maker’ app was removed from public search results on the Google Play Store.
Google has not issued a specific statement on these incidents, but the cases underscore ongoing challenges in vetting AI apps for security.
What to do if you used this AI app
The leaked data poses severe threats, including targeted scams, impersonation, financial fraud, and privacy violations. Researchers urge Android users to:
– Exercise extreme caution with AI photo/video editing or identity verification apps, especially from lesser-known developers.
– Check for the Google “Verified Developer” badge and review developer portfolios.
– Scrutinise app permissions before granting access to camera, storage, or documents.
– Avoid uploading sensitive identity documents unless absolutely necessary and from trusted sources.