Two AI companion applications have left hundreds of thousands of users’ intimate conversations and personal media completely exposed online, according to security researchers at Cybernews who discovered the vulnerability in late August.
The apps in question (Chattee Chat and GiMe Chat) are operated by a Hong Kong-based Imagime Interactive. One of the apps, Chattee, was highly popular, ranking among the top 150 entertainment apps on Apple’s App Store with over 300,000 downloads, primarily from American users.
Researchers found an unsecured Kafka Broker server, a platform used for real-time data streaming, that contained approximately 43 million user messages and more than 600,000 images and videos from roughly 400,000 users. The server had no authentication requirements or access restrictions.
The exposed content was almost entirely explicit. Users averaged 107 messages each to their AI companions, along with personal photos and AI-generated media. About two-thirds of affected users were on iOS devices, with the remainder on Android.
The leak also included IP addresses, device identifiers, and authentication tokens. Names and email addresses were not directly exposed, but experts say the available information could be cross-referenced with data from other breaches to potentially identify individuals.
Imagime Interactive’s privacy policy states that user information is “of paramount importance” and claims the company handles personal data “with a high degree of prudence.” The company did not respond to requests for comment from Cybernews.
During the research, Chattee was removed from the Google Play Store, and the developer subsequently instructed Android users to sideload the app’s APK file directly rather than installing through the official store.
Cybernews researchers disclosed the vulnerability to Imagime Interactive on September 5, and the exposed server was secured two weeks later. It remains unclear whether malicious actors accessed the data before it was secured, though the server had already been indexed by IoT search engines that catalog internet-connected devices.
Security researchers note that Kafka Broker misconfigurations are a recurring problem across industries. The technology includes built-in authentication features, but administrators often skip enabling them during development and fail to add protections before deploying to production environments. Similar exposed Kafka instances have previously been found affecting healthcare providers, food delivery services, and other consumer applications.
For the complete security findings and details, check out Cybernews’ official report here.
Leave a Reply