Cybernews discovered how two AI companion apps, Chattee Chat and GiMe Chat, exposed millions of intimate conversations from over 400,000 users.

This is not the first time we have to write about AI “girlfriends” exposing their secrets—and it probably won’t be the last. This latest incident is a reminder that not every developer takes user privacy seriously.

This was not a sophisticated hack that required a skilled approach. All it took was knowing how to look for unprotected services. Researchers found a publicly exposed and unprotected streaming and content delivery system—a Kafka Broker instance.

Think of it like a post office that stores and delivers confidential mail. Now, imagine the manager leaves the front doors wide open, with no locks, guards, or ID checks. Anyone can walk in, look through private letters and photos, and grab whatever catches their eye.

That’s what happened with the two AI apps. The “post office” (Kafka Broker) was left open on the internet without locks (no authentication or access controls). Anyone who knew its address could enter and see every private message, photo, and the purchases users made.

The Kafka broker instance was handling real-time data streams for two apps, which are available on Android and iOS: Chattee Chat – AI Companion and GiMe Chat – AI Companion.

The exposed data belonged to over 400,000 people and included 43 million messages and over 600,000 images and videos. The content shared with and created by the AI models was not suitable for a work environment (NSFW), the researchers found.

One of the apps—Chattee—was particularly popular, with over 300,000 downloads, mostly in the US. Both apps were developed by Imagime Interactive Limited, a Hong Kong-based developer, though only Chattee gained significant popularity.

While the apps didn’t reveal names or email addresses, they did expose IP addresses and unique device identifiers, which attackers could combine with data from previous breaches to identify users.

The researchers concluded:

“Users should be aware that conversations with AI companions may not be as private as claimed. Companies hosting such apps may not properly secure their systems. This leaves intimate messages and any other shared data vulnerable to malicious actors, who leverage any viable opportunities for financial gain.”

It doesn’t take a genius cybercriminal with access to data from other breaches to turn the information they found here into something they can use for sextortion.

Another thing that the information shows is that the developer’s revenue from the apps exceeded $1 million. If only they had spent a few of those dollars on security. Securing a Kafka Broker instance is not technically difficult or especially costly. Setting up proper security mostly requires configuration changes, not major purchases.

Leaks like this one can lead to harassment, reputational damage, financial fraud, and targeted attacks on users whose trust was abused—which does not make for happy customers.

Protecting yourself after a data breach

The leak has been closed after responsible disclosure by the researchers, but there is no guarantee they were the first to find out about the exposure. If you think you have been the victim of a data breach, here are steps you can take to protect yourself:

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice it offers.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the company’s website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to let sites remember your card details, but we highly recommend not storing that information on websites.
• Set up identity monitoring, which alerts you if your personal information is found being traded illegally online and helps you recover after.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.