Millions of customer conversations with Sears Home Services, including voice recordings, were left exposed online when an AI customer support bot leaked the logs.

AI assistants are becoming a big deal for customer service in the retail sector, and so are the security risks.

While AI agents can be beneficial in customer interactions by improving response times and reducing the workload on human agents, they also collect customer data. This might be an issue.Cybersecurity researcher Jeremiah Fowler has recently identified a massive data leak caused by an AI virtual assistant used for customer service, scheduling, and support operations.

He discovered three publicly accessible databases that lacked authentication and had sensitive data that was not encrypted.

Together, they contained approximately 3.7 million records, including chat transcripts, audio recordings, and text transcriptions of customer interactions dating from 2024 to 2026.

The data was linked to Sears Home Services, a major appliance repair provider in the United States that performs over seven million repairs annually. Transformco, the company that owns Sears, boasts revenue of around $80 million.

“In a limited sample of the exposed documents I reviewed as part of the investigation, all of the files contained references to Sears Home Services,” the researcher said, sharing his findings with ExpressVPN.

The exposed files referenced AI systems identified as “Samantha,” a customer-facing chatbot, and “KAIros,” a broader AI platform used for scheduling and operational support.

The scope of the exposure

The databases contained a wide range of customer interaction data, including:

• Over 2.1 million text files with scheduling conversations
• More than 200,000 spreadsheet logs and associated audio files
• Approximately 1.4 million audio recordings of customer calls, totaling nearly 4TB of data
• 54,359 complete chat logs from start to finish.

What data was exposed?

Many of the records included personally identifiable information (PII), such as:

• Names
• Physical addresses
• Email addresses
• Some contained phone numbers
• Details about products, accounts, services, repairs, or delivery appointments
• Chat histories

The issue has been fixed, but no-follow up

Fowler reported the exposure to Transformco, and the following day, the company restricted public access to the databases.

According to Fowler, he received confirmation that the notification had been forwarded internally, but did not receive further correspondence.

It remains unclear whether the databases were managed directly by Sears Home Services or by a third-party vendor. The duration of the exposure and whether any unauthorized parties accessed the data are also unknown.

“Only an internal forensic audit could identify additional access or potentially suspicious activity,” the researcher claimed.

Huge security risks

When customer service calls get recorded, it’s not just a transcript you’re leaving behind. Unlike text, voice recordings can be used to recognize or even replicate a person’s identity.

Researchers have shown that as little as 30 seconds of audio can be enough to convincingly clone a voice, and with deepfake-related fraud projected to hit $40 billion by 2027, that kind of data starts to look less like routine customer service and more like raw material.

Audio also has a habit of capturing more than it’s supposed to. In several cases, calls didn’t end when the conversation did. The line stayed open, and the system kept recording, sometimes for hours, picking up background conversations that had nothing to do with appliance repairs or service requests.

“I heard numerous calls where customers called and didn’t hang up, and the chatbot continued to record up to 4 hours of audio, including conversations unrelated to the products or services, raising additional potential privacy concerns,” the researcher warned.

Exposed full chatbot logs don’t just show what was discussed between the customer and AI – they can reveal how the internal system works. It reveals prompts, its guardrails, and the logic that decides when it helps, refuses, or escalates.“Hypothetically, a competitor could reverse-engineer the assistant, replicate its behavior, shortcut years of research and development, and launch a similar product at a fraction of the cost,” the researcher explained.

Cybernews has reached out to Sears for comment, but has not yet received a response.

Transformco has had a cyber incident before

This is not the first time the company has had issues with data security. In 2021, the company informed customers about suspicious activities on their systems.

Investigations determined that Social Security numbers, financial account numbers, and healthcare insurance information about current and former Transformco employees had been exfiltrated.

What to do if you might be affected by the Sears Home Service data leak?

If your information may have been exposed, the most important step is to stay alert to how that data could be used.

Breaches like this often don’t lead to immediate harm. However, the leaked data could be used to craft sophisticated phishing campaigns or exploited for identity fraud over time.

“My advice to anyone who may have had their PII exposed in a data breach is to be aware of common tactics that criminals use,” the researcher advised.

“Knowing the basics of how to identify and prevent phishing attempts, identity fraud, or account takeovers can help protect user data and privacy.”

If you recently used Sears’ online services, you should:

• Update passwords for accounts linked to the exposed information
• Enable two-factor authentication where possible
• Monitor financial statements or account activity for any unusual activity

---

Unlock more exclusive Cybernews content on YouTube.