AI girlfriend apps leaked millions of intimate conversations and images -- here's what we know

Two AI companion apps leaked millions of private conversations, more than 600,000 images and videos, and detailed usage data from over 400,000 users.

The exposed information included in-app transactions showing that some users spent thousands of dollars on their virtual partners, raising serious questions about data privacy in AI relationship platforms.

SEE ALSO: AI is fueling an explosive rise in fraud and digital identity crime

Cybernews researchers discovered the leak, which affected the Chattee Chat and GiMe Chat apps, through an exposed Kafka Broker instance used for real-time streaming and content delivery. The unprotected server contained messages, media files, and user logs shared between individuals and their AI companions on Android and iOS. According to the researchers, the instance was left without access controls or authentication, so anyone with a link could view the content.

“There was virtually no content that could be considered safe for work,” Cybernews researchers said. “This troubling leak highlights a huge gap between the complete trust users place in these apps -- expressing their desires and fantasies with the hope that this information remains private -- and the security negligence of the developers.”

The exposed database was traced to Imagime Interactive Limited, a Hong Kong-based company behind both of the AI girlfriend apps. The company’s privacy policy states that user information “is of paramount importance to us” and that it processes data “with a high degree of prudence.” Despite those assurances, Cybernews says it found no authentication or access restrictions in place.

The affected instance contained more than 43 million messages and over 600,000 images and videos exchanged or generated by the AI models. No names or email addresses were found in the leaked data, but it did reveal IP addresses and device identifiers which could be linked to other leaks to identify users.

Chattee Chat, which was listed as the 121st Entertainment app on the Apple App Store before the discovery, had more than 300,000 downloads and hundreds of reviews, mainly from users in the United States. The app was later delisted from Google Play, with the developer instructing Android users to sideload it instead.

AI girlfriends aren't cheap

Cybernews noted that some users spent as much as $18,000 on in-app currency, though most transactions were much smaller. The leaked records suggest the developer’s total revenue exceeded $1 million. Authentication tokens were also exposed, creating potential for account hijacking or theft of in-app funds.

The leaked data could be exploited for sextortion, phishing, or harassment campaigns, Cybernews warned.

“Users should be aware that conversations with AI companions may not be as private as claimed. Companies hosting such apps may not properly secure their systems. This leaves intimate messages and any other shared data vulnerable to malicious actors, who leverage any viable opportunities for financial gain,” the researchers concluded.

Following Cybernews’s disclosure, the exposed server was secured, but attackers could have accessed the data beforehand, especially as the instance had already been indexed by major IoT search engines.

What do you think about the AI girlfriend data leak? Let us know in the comments.