Two AI app leaks spill 1B private KYC data, media
What's the story
Cybersecurity researchers have discovered two major data breaches linked to artificial intelligence (AI) apps. The leaks have compromised sensitive personal data and media files of millions of users worldwide. According to reports from Cybernews, the incidents could expose over a billion records. The first breach is tied to IDMerit, an AI-powered Know Your Customer (KYC) tool provider for digital identity verification in fintech and financial services sectors.
Data exposure
IDMerit leak worst hit US, Mexico, Philippines
The IDMerit data leak has exposed a staggering one billion sensitive personal records from individuals across 26 countries. The US was the worst hit with over 203 million exposed records, followed by Mexico (124 million) and the Philippines (72 million). The leaked data includes core personal identifiers such as full names, addresses, post codes, dates of birth, National IDs, phone numbers, genders, email addresses, and telco metadata.
Potential threats
Downstream risks of data leak include account takeovers, phishing attacks
The researchers have warned that the downstream risks of this data leak could include account takeovers, targeted phishing attacks, credit frauds, SIM swaps, and long-tail privacy harms. They also noted that automated crawlers set up by threat actors constantly scour the web for exposed instances and download them almost instantly once they appear.
App vulnerability
Second breach linked to AI app 'Video AI Art Generator'
The second data breach is associated with an Android app called "Video AI Art Generator & Maker." The app, which has been downloaded over 500,000 times on Google Play and rated 4.3 stars with over 11,000 reviews, was found leaking user data due to a misconfigured Google Cloud Storage bucket. This allowed anyone to access stored files without authentication.
Data breach
Misconfigured Google Cloud Storage bucket leaked over 12TB of data
The misconfigured Google Cloud Storage bucket on the app leaked over 1.5 million user images and 385,000 videos, along with millions of media files created by users using AI. The exposed 'bucket' contained some 8.27 million media files and over 12TB of users' media files. It had stored and leaked every file uploaded since its launch on June 13, 2023.