AI Apps Data Leak Exposes 2 Million User Files as Android Users Face Widespread Privacy Risks

Top Android AI photo and video editor exposes nearly two million user images and videos

Misconfigured database holding millions of images and videos found online * Cybernews found misconfigured database in "Video AI Art Generator & Maker" app * Leak exposed 8.27m media files, including 2m private user photos and videos * Developers secured database after disclosure; similar flaws seen in another Codeway app Yet another misconfigured database leaking sensitive user data was found, but this one is even more worrying since the data being leaked is - user-uploaded photos and videos. Researchers from Cybernews recently discovered an Android app called "Video AI Art Generator & Maker" contained a misconfigured Google Cloud storage bucket which was accessible to anyone who knew where to look. In total, more than 1.5 million user images, and more than 385,000 videos were stored in the bucket. Furthermore, it stored more than 2.87 million AI-generated videos, more than 386,000 AI-generated audio files, and more than 2.87 million AI-generated images. Several vulnerable apps The app offered AI-generated makeovers for photos and videos - something that is particularly popular these days. It was launched in mid-June 2023 and according to Cybernews, has been storing the multimedia people upload since then. So, in total, the exposed bucket contained 8.27 million media files, 2 million of which were private, user-uploaded content. The app was allegedly developed by Codeway Dijital Hizmetler Anonim Sirketi, a private company registered in Turkey, but we could not find this app on the Play Store, or the developer's official website. Codeway's dedicated Play Store page shows only three apps. However, the official website does demonstrate a different app, called Chat & Ask AI, and this one also had a misconfigured backend using Google Firebase. In early February 2026, an independent researcher found that this app, one of the most popular ones in its category, exposed 300 million messages tied to 25 million users. Still, Cybernews said it managed to get in touch with the developers, who secured the Video AI Art Generator & Maker database soon after. "This data leak shows how some AI apps prioritize fast product delivery, skipping crucial security features, such as enabling authentication for the critical cloud storage bucket used to store user data, including images and videos," the researchers explained. Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button! And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Unsecured AI apps are leaking personal data of Android users

AI apps are a "treasure trove" of leaked data, researchers say. Credit: Anadolu Agency / Contributor / Anadolu via Getty Images Not every AI tool you stumble across in your phone's app marketplace is the same. In fact, many of them may be more of a privacy gamble than you would have previously thought. A plethora of unlicensed or unsecured AI apps on the Google Play store for Android, including those marketed for identity verification and editing, have exposed billions of records and personal data, cybersecurity experts have confirmed. A recent investigation by Cybernews found that one Android-available app in particular, "Video AI Art Generator & Maker," has leaked 1.5 million user images, over 385,000 videos, and millions of user AI-generated media files. The security flaw was spotted by researchers, who discovered a misconfiguration in a Google Cloud Storage bucket that left personal files vulnerable to outsiders. In total, the publication reported, over 12 terabytes of users' media files were accessible via the exposed bucket. The app had 500,000 downloads at the time. Another app, called IDMerit, exposed know-your-customer data and personally identifiable information from users across 25 countries, predominantly in the U.S. Information included full names and addresses, birthdates, IDs, and contact information constituting a full terabyte of data. Both of the apps' developers resolved the vulnerabilities after researchers notified them. Still, cybersecurity experts warn that lax security trends among these types of AI apps pose a widespread risk to users. Many AI apps, which often store user-uploaded files alongside AI-generated content, also use a highly criticized practice known as "hardcoding secrets," embedding sensitive information such as API keys, passwords, or encryption keys directly into the app's source code. Cybernews found that 72 percent of the hundreds of Google Play apps researchers analyzed had similar security vulnerabilities.