Japan’s top English app puts 5M users at risk of AI fraud

Mastering a new language with AI apps might put you at risk of deepfakes. Cybernews researchers have just discovered that a premier Japanese learning app left the voices of its 5 million users exposed to the open web.

The go-to app for learning English, Abceed, which partners with Paramount, Sony Pictures Entertainment, TMS Entertainment, and major textbook publisher Sanseido, has just exposed nearly 10TB of user data.

According to a recent investigation by the Cybernews research team, a misconfigured Google Cloud Storage bucket exposed over 46 million files, the vast majority of which were private audio recordings of users practicing their English skills.

abceed data leak 3 — Audio recording sample in waveform. Source: Cybernews

The Abceed app is developed by the Japanese Globee Inc, a public company listed on the Tokyo Stock Exchange with a market cap of approximately 3.51 billion Yen ($20 million USD).

The application has claimed to dominate the charts, ranking as the #1 education app in Japan with a user base of 5 million. It is also endorsed by schools and major corporations, and is downloaded by over 500,000 people on the Android version alone.

abceed data leak 4 — Audio recording sample in waveform. Source: Cybernews

English learners are at risk of voice fraud

A leaked audio clip of someone mispronouncing "th" sounds might seem harmless. However, in the age of generative AI, your voice is a biometric asset. Cybernews researchers warn that this specific dataset is a "gold mine" for malicious actors.

“Malicious actors could abuse a dataset of leaked recordings to craft phishing campaigns. They can use voice cloning technologies together with vishing, mimicking the voices of coworkers, friends, or family members,” our research team said.

abceed data leak 2 — File listing enabled on the misconfigured cloud instance. Source: Cybernews

“It can also be used to create personas where ethnicity and inexperience in speaking English may become a convincing factor for sextortion, or ‘pig butchering’ scams.”

These recordings can also capture unintended background noise, including private conversations, household sounds, or office environments, adding another layer of risk for app users.

What are the risks of voice cloning?

Deepfake phishing: Using just a few seconds of clear audio, AI can clone a voice to conduct vishing (voice phishing) attacks. Attackers can fake the voice of a family member or colleague calling in distress to request urgent funds.
Malicious personas: The leaked recordings include metadata like tone, emotion, and accent. Hackers could use these to create convincing, automated personas for pig butchering or sextortion attacks.
Biometric bypassing: Some banking and government services use passive voice authentication. Attackers could potentially exploit high-fidelity recording to gain unauthorized access to sensitive accounts.

After discovering the data leak, our research team contacted the company, and the instance was secured. The company has not provided an official comment. A response to our journalists’ questions is yet to be received.

How to protect your voice from AI phishing attacks

If you have recently used the Abceed app to practice your English, your voice may now be part of the leaked dataset. Because you cannot "change" your voice as easily as a leaked password, you'd better stay more alert for potential phishing attacks.

Establish a "safe phrase." Agree on a random, not easily guessable word or phrase that you share only with your inner circle. If you receive an urgent call from a family member asking you to send money or to share your bank logins, ask for the safe phrase. If they can't provide it, hang up.

Call them back to double-check. If you receive a suspicious call from a known contact who sounds like someone you know, hang up. To verify the authenticity, manually type their number from your contact list and call them back. Do not simply click "Redial" on the incoming call. Scammers can fake the number that appears on your phone using VoIP systems. So even if it looks like your friend, bank, or colleague is calling, it might not be them.

Revise voice biometrics. If your bank or any government service uses "Voice ID" for authentication, contact them to disable it. A high-fidelity recording of you speaking English, as found in the Abceed leak, can be reassembled by AI to bypass passive voice triggers. Request Hardware MFA or app-based authentication, such as Google or Microsoft Authenticators, instead.

abceed data leak 1 — Detected hardcoded secrets. Source: Cybernews

Android AI apps are vulnerable to attacks

The current findings were part of Cybernews’s large-scale research into Android AI applications. The findings showed that AI apps are highly vulnerable to attacks, as 72% percent of the analyzed apps contained at least one hardcoded secret.

Despite the cybersecurity community consistently identifying hardcoding secrets as one of the worst security practices, the numbers show that it remains widespread.

On average, an AI app leaks 5.1 secrets, and 81.14% of the detected secrets were related to Google Cloud Project identifiers, endpoints, and API keys.

Don't miss our latest stories on Google News. Add us as your Preferred Source on Google

Disclosure timeline

Initial metadata indexing: December 2nd, 2025
Full analysis: December 12th, 2025
Initial disclosure: December 16th, 2025
CERT contacted: December 19th, 2025
Data secured: January 12th, 2026

Unlock more exclusive Cybernews content on YouTube.

Share

Post