Cybersecurity researchers have uncovered two massive data leaks linked to two AI-related apps that have exposed the sensitive personal data and media files of millions of users globally. The leak was revealed in two separate reports by Cybernews (first reported by Forbes), in which the security researchers warned that over a billion records could be compromised.
IDMerit data leak
The first leak has been attributed to an AI-powered Know Your Customer (KYC) tool used by digital identity verification provider IDMerit. The company is an AI-powered digital identity verification solutions provider that serves the fintech and financial services sectors by providing real-time verification tools.
“Our researchers noticed the exposed instance on 11 November 2025, and immediately contacted the company, which promptly secured the database. While there is no current evidence of malicious misuse, automated crawlers set up by threat actors constantly prowl the web for exposed instances, downloading them almost instantly once they appear,” the cybersecurity researchers wrote.
The leak exposed 1 billion sensitive personal records spanning individuals from 26 countries. The United States was the most affected, with over 203 million exposed records, followed by Mexico (124 million) and the Philippines (72 million).
The exposed data included “core personal identifiers used for your financial and digital life,” including full names, addresses, postcodes, dates of birth, national IDs, phone numbers, genders, email addresses and telco metadata.
Researchers say that the downstream risks of this data leak could include account takeovers, targeted phishing, credit fraud, SIM swaps, and long-tail privacy harms.
Video AI Art Generator & Maker leak
The second leak is linked to an Android app named “Video AI Art Generator & Maker,” which has been downloaded over 500,000 times on Google Play and rated 4.3 stars with over 11,000 reviews.
The app was found leaking user data due to a misconfigured Google Cloud Storage bucket that allowed anyone access to stored files without authentication. Researchers say the app leaked over 1.5 million user images and 385,000 videos, along with millions of media files generated by users using AI.
The exposed bucket contained approximately 8.27 million media files and over 12TB of users’ media. Researchers say that it has stored and leaked every file uploaded since its launch on 13 June 2023, while the oldest file in the bucket dates back to three days before the launch.
The app was developed by Turkey-registered Codeway Dijital Hizmetler Anonim Sirketi, a company that previously saw another of its apps, Chat & Ask AI, leak roughly 300 million messages tied to more than 25 million users.
