Details of 20M Cutout.pro users exposed on leak forum


Millions of Cutout.pro users had their account and personal details exposed, including email addresses and passwords.

The ad for the allegedly stolen data was posted on a popular data leak forum, with attackers claiming they’ve obtained details on over 20 million Cutout.pro users.

The leak, weighing 6GB and including over 44 million records, supposedly includes a trove of user information, including email addresses, passwords, salt values, and other information.

Salt is a security measure added to a password before it is encrypted and stored. Exposing salt value severely weakens password protection and allows attackers to obtain unauthorized access to user accounts.

Data leak sample
Post advertising supposedly leaked Cutout.pro data. Image by Cybernews.

The sample of leaked data was independently verified by security researchers. We have contacted the company for comment but did not receive a reply before publishing.

In early 2023, the Cybernews research team discovered that Cutout.pro leaked user-generated content via an open ElasticSearch instance.

According to the team, Cutout.pro exposed customer usernames and images they created using the company’s tools. Moreover, the instance also had information on the number of user credits, a virtual in-service currency, and links to Amazon S3 buckets, where generated images were stored.

However, researchers claim that the data posted on a leak forum and the leak discovered last year are separate events, as the exposed data doesn’t match.

Cutout.pro’s services allow users to manipulate photos or generate images with the help of an AI-based Application Programming Interface (API). The functionality enables the integration of the company’s services into other apps for third-party use.

The company self-reported having over 300 million API requests, peaking at 4,000 requests per second from over 5,000 applications and websites used worldwide. Cutout.pro boasts of working with over 25k businesses.