Twin AI data leaks expose over a billion personal KYC records and private media files

Cybersecurity researchers have uncovered two massive data leaks linked to two AI-related apps that have exposed the sensitive personal data and media files of millions of users globally. The leak was revealed via two separate reports by Cybernews (first reported by Forbes), where the security researchers warned that over a billion records could be compromised due to the leak.

IDMerit data leak:

The first leak has been attributed to an AI-powered Know Your Customer (KYC) tool used by digital identity verification provider IDMerit. The company is an AI-powered digital identity verification solutions provider and serves the fintech and financial services sector by helping businesses with real-time verification tools.

“Our researchers noticed the exposed instance on November 11, 2025, and immediately contacted the company, which promptly secured the database. While there is no current evidence of malicious misuse, automated crawlers set up by threat actors constantly prowl the web for exposed instances, downloading them almost instantly once they appear,” the researchers wrote.

The leak exposed 1 billion sensitive personal records spanning individuals from 26 countries. The United States was the most affected, with over 203 million exposed records, followed by Mexico (124 million) and the Philippines (72 million).

The exposed data included “core personal identifiers used for your financial and digital life,” including full names, addresses, postcodes, dates of birth, national IDs, phone numbers, genders, email addresses, and telco metadata.

Researchers say that the downstream risks of this data leak could include account takeovers, targeted phishing, credit fraud, SIM swaps, and long-tail privacy harms.

Video AI Art Generator & Maker leak:

The second leak is linked to an Android app named “Video AI Art Generator & Maker,” which has been downloaded over 500,000 times on Google Play and rated 4.3 stars with over 11,000 reviews.

The app was found leaking user data due to a misconfigured Google Cloud Storage bucket that allowed access to anyone to stored files without authentication. Researchers say that the app leaked over 1.5 million user images and 385,000 videos, along with millions of media files that users had generated using AI.

The exposed bucket included approximately 8.27 million media files and over 12TB of users’ media. Researchers say that it had stored and leaked every file uploaded since its launch on June 13, 2023, while the oldest file in the bucket dates back to three days before the launch.

The app was developed by Turkey-registered Codeway Dijital Hizmetler Anonim Sirketi, a company that previously saw another of its apps, Chat & Ask AI, leak roughly 300 million messages tied to more than 25 million users.