What happens when apps that promise ‘smart’ AI tools forget the basics of security? You’re exposed to one of the largest data breaches in recent months, with millions of personal photos, videos, and even KYC records left open online.
Security researchers have uncovered two major data leaks linked to AI-related apps, raising fresh concerns about how safely our personal data is being handled. Over 1 billion records exposed in IDMerit leak The first case involves IDMerit, an AI-powered digital identity verification provider used by fintech and financial services companies.
Researchers found that an exposed database contained nearly 1 billion personal records across 26 countries. The United States was the worst affected, with over 203 million records exposed, followed by Mexico (124 million) and the Philippines (72 million). The leaked data included highly sensitive details such as: Cybersecurity researchers said: Our researchers noticed the exposed instance on 11 November 2025 and immediately contacted the company, which promptly secured the database. While there is no current evidence of malicious misuse, automated crawlers set up by threat actors constantly prowl the web for exposed instances, downloading them almost instantly once they appear. Although the database was later secured, experts warned that such leaks can lead to serious risks like account takeovers, targeted phishing attacks, SIM swaps, credit fraud, and long-term privacy damage. Video AI Art app leaked 8.27 million media files The second leak is linked to an Android app called Video AI Art Generator Maker, which had over 500,000 downloads on the Google Play Store and more than 11,000 reviews.
Researchers found that the app’s Google Cloud Storage bucket was misconfigured. This meant anyone could access stored files without logging in or authenticating. The exposed storage reportedly contained: According to findings first reported by Forbes, the storage bucket had been leaking data since the app’s early days. The app is no longer publicly searchable on the Play Store after disclosure. Also read: Top 5 robots stole the show at India AI Summit, here’s a list
Same developer, repeated problems Both affected apps are linked to Turkey-registered developer Codeway Dijital Hizmetler Anonim Şirketi. Researchers also pointed out that another app from the same company, Chat Ask AI, had previously exposed roughly 300 million messages connected to over 25 million users. The pattern suggests recurring security weaknesses rather than a one-off mistake.
What went wrong? Investigators said one major issue behind such breaches is something called “hardcoding secrets.” This happens when developers embed sensitive credentials, such as passwords, API keys, or encryption keys, directly into the app’s source code.
If attackers or automated bots scan public repositories or app files, they can extract these secrets within seconds. According to researchers at Cybernews, about 72 per cent of Play Store apps analysed showed similar weaknesses. That means this may not be an isolated case. How users can protect themselves Also read: iPhone storage always full? Here’s how to free up space without deleting your photos and videos
A bigger wake-up call for AI apps AI-powered apps are growing fast. From art generation to identity verification, they are collecting enormous volumes of personal data.
But as these two leaks show, innovation without strong security can quickly turn into a privacy nightmare.
For users, the lesson is simple: just because an app uses AI doesn’t mean it’s secure.
