Recently, the cybersecurity media Cybernews revealed a shocking user data breach involving two popular AI companion apps: "Chattee Chat - AI Companion" and "GiMe Chat - AI Companion." Due to serious security lapses by the app developers, the private data of over 400,000 users, 43 million messages, and over 600,000 images and videos were completely exposed to online risks.
Unprotected Storage Instances: Data Left Wide Open
According to Cybernews' investigation, the source of the leak was an unprotected Kafka Broker instance, which was responsible for receiving and storing all user messages. The research team found that this instance had no access control or authentication, allowing anyone who obtained the link to directly access all user data.
Although the leaked information did not contain direct personal identity information, the exposed IP addresses and device unique identifiers could still be used by malicious attackers to match specific user identities, potentially leading to ransom or harassment.
High Spending and Risk of Account Hijacking
These two apps are popular on both Android and iOS platforms. "Chattee Chat" once ranked 121st on the Apple App Store's "Entertainment" list, with an estimated download count exceeding 300,000. Data shows that users interacted very frequently, sending an average of 107 messages to their AI companions per person.
In terms of finance, the study showed that some users spent as much as $18,000 on virtual currency top-ups, with total revenue possibly exceeding $1 million. More dangerously, the leaked authentication tokens gave hackers the opportunity to hijack user accounts and steal virtual currency, increasing the risk of financial loss for users.
Event Alert: AI Companion Apps Require Strengthened Regulation
After Cybernews discovered the issue, the developer has urgently shut down the relevant Kafka Broker instance. However, researchers warned that it is currently unclear whether any hackers have already obtained this data before.
