Two AI apps exposed 12TB of user data on Google Play

MUMBAI: AI apps promising magic transformations just pulled off a vanishing act of privacy leaving 12 terabytes of user secrets wide open for anyone to grab. Security researchers have exposed a major data breach tied to two Android apps previously listed on the Google Play Store, highlighting ongoing risks in the rush to deploy AI-powered tools. The first, Video AI Art Generator & Maker from developer Codeway, surpassed 500,000 installs and amassed over 11,000 reviews before the flaw was uncovered.

A misconfigured Google Cloud Storage bucket left the entire media library unprotected no authentication required. Forbes-cited analysis revealed more than 1.5 million user-uploaded images, over 385,000 videos, and millions of AI-generated files, totalling 12TB or 8.27 million items collected since the app launched on 13 June 2023. The app has since been removed from public search on the Play Store.

The problem didn’t stop there. Researchers found a similar exposure in Codeway’s second app, IDMerit, which handled Know Your Customer (KYC) verification. Leaked data included identity documents, addresses, phone numbers, and other personal details used for financial and onboarding processes. The breach impacted users in the United States and at least 25 other countries, including Germany, France, China, and Brazil. Codeway reportedly secured the IDMerit bucket on 3 February 2026.

Investigators traced the root cause to a common and dangerous practice, hardcoding sensitive credentials passwords, API keys, encryption secrets directly into app source code. Automated bots scanning public repositories can snatch these in seconds. Cybernews researchers noted that 72 per cent of analysed Play Store apps exhibited similar vulnerabilities.

The incidents serve as a stark reminder for users, AI-editing tools and identity-verification apps from lesser-known developers can carry hidden risks. Security experts recommend checking a developer’s track record, looking for Google’s “Verified Developer” badge, carefully reviewing requested permissions, and avoiding uploads of sensitive documents unless absolutely necessary.

In an era where AI promises to create, edit, and verify almost anything, these leaks show that the real risk isn’t always the tech failing, it’s the shortcuts developers take when rushing it to market.