Android AI video generator app leaks 8M photos and videos

An AI app promising cinematic makeovers for your selfies has exposed nearly two million private photos and videos instead.

AI can refine your photos and boost your videos. But trusting your data to an app always carries the risk of exposing it to the internet, even if it’s an app downloaded more than 500,000 times on Google Play and rated 4.3 stars with over 11,000 reviews.

While investigating Android AI apps on Google’s Play Store, Cybernews researchers discovered that an app named “Video AI Art Generator & Maker” has been leaking user data. The app leaked more than 1.5 million user images and over 385,000 videos, along with millions of media files that users generated using AI.

The leak was caused by a misconfigured Google Cloud Storage bucket that allowed anyone to access stored files without authentication.

A publicly exposed video uploaded by one of the users

The bucket has stored and leaked every file uploaded since the app’s launch. The app was released on June 13th, 2023, while the oldest file in the bucket dates back three days before the launch.

In total, the exposed bucket stored approximately 8.27 million media files and over 12TB of users’ media files.

Indexed totals from the exposed storage bucket

What data has been leaked?

2.87 million AI-generated videos
Over 386,000 AI-generated audio files
2.87 million AI-generated images
Over 385,000 videos uploaded by users
Over 1.57 million images uploaded by users

This is not a unique case. A Cybernews investigation previously revealed that popular AI photo identification apps with 2 million downloads exposed their users' GPS coordinates.

A leak of user data generally indicates non-compliance with the security obligations set out in the European Union’s General Data Protection Regulation (GDPR), which protects European users.

According to GDPR, personal data needs to be processed "in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures."

The conversation on this topic is live. Join in the discussion.

While no system is 100% secure, the law requires the app owner to implement "appropriate technical and organizational measures" to ensure a level of security commensurate with the risk. Publicly accessible cloud storage is highly unlikely to be considered an appropriate measure for private user data.

Violating GDPR could end up in fines for the company, which might reach up to €20 million or 4% of annual worldwide turnover, whichever is higher.

Why does the leak matter?

AI media generation apps often store original user uploads alongside processed content. In this case, private photos and videos that users may never have intended to share publicly were publicly accessible. They could have contained private and sensitive information that exposes users.

The scale is also notable. With just 500,000 downloads, the app accumulated and exposed over 12TB of user media files. This highlights how quickly consumer AI platforms can gather vast quantities of sensitive content.

App metadata, including detected hardcoded secrets

“This data leak also shows how some AI apps prioritize fast product delivery, skipping crucial security features, such as enabling authentication for the critical cloud storage bucket used to store user data, including images and videos,” Cybernews researchers explained.

What do we know about the company?

The app was developed by Codeway Dijital Hizmetler Anonim Sirketi, a private company registered in Turkey. Some of the company’s apps are also published under Deep Flow Software Services Fzco, a UAE-registered entity. Collectively, the group’s apps exceed 10 million downloads.

Cybernews reached out to the company, and after multiple attempts to communicate, the company secured access to the data. The company has not provided an official comment.

Google Cloud Storage Bucket listing showing files stored on the bucket

This is not the first time the company’s apps have leaked user data. Reportedly, an independent security researcher has discovered that another app developed by Codeway, Chat & Ask AI, had a misconfigured backend using Google Firebase. According to the researcher, he accessed roughly 300 million messages tied to more than 25 million users.

Android AI apps are not secure

Cybernews’s in-house large-scale research has revealed that Android AI applications are highly vulnerable to attacks, with 72% percent of the analyzed apps containing at least one hardcoded secret.

Despite the cybersecurity community consistently warning that such practices are among the worst, the numbers show they are still widely spread.

On average, an AI app leaks 5.1 secrets, and 81.14% of the detected secrets were related to Google Cloud Project identifiers, endpoints, and API keys.

Disclosure timeline:

First bucket index as part of AI apps research: December 2nd, 2025
In-depth analysis and full indexing: December 9th, 2025
Initial disclosure: December 10th, 2025
CERT contacted: December 16th, 2025
Data closed: February 3rd, 2026

Unlock more exclusive Cybernews content on YouTube.

Share

Post