AI Apps Leak Billions of User Records

A significant number of AI applications available on mobile app stores present substantial privacy risks to users. Recent investigations revealed that many unlicensed or unsecured AI apps, including those for identity verification and editing, have led to the exposure of billions of personal records. One particular app, marketed as a video AI art generator, leaked approximately 1.5 million user images, over 385,000 videos, and millions of AI-generated media files. This occurred due to a misconfiguration in cloud storage, leaving over 12 terabytes of user data vulnerable.

Another app, IDMerit, compromised know-your-customer data and personally identifiable information for users across 25 countries, with the majority being from the U.S. The exposed data included full names, addresses, birthdates, and contact details. While developers of these specific apps have since resolved the identified vulnerabilities, cybersecurity experts caution that lax security practices are a pervasive issue. Many AI apps embed sensitive information like API keys and passwords directly into their source code, a practice known as 'hardcoding secrets.' Researchers found that a concerning 72 percent of hundreds of analyzed Google Play apps suffered from similar security weaknesses, highlighting a widespread vulnerability.

As of February 21, 2026, the issue of unsecured AI apps remains a critical concern. The vulnerabilities found in apps like 'Video AI Art Generator & Maker' and 'IDMerit' underscore the potential for massive data breaches. The practice of hardcoding sensitive information within app code is prevalent, affecting a majority of analyzed applications. Users are advised to exercise caution when downloading AI applications, especially those requiring extensive personal information or permissions.