Android fiction apps expose millions of readers and writers

Published: 26 November 2025
Last updated: 26 November 2025
Popular Android apps leak personal user details

An unsecured server has exposed 100 million data records of readers and writers using some of the internet’s largest fiction apps.

Key takeaways:
  • Over 100 million user records from fiction apps leaked through an unsecured database.
  • Exposed data included readers' intimate preferences, authors' government IDs, contracts, and other sensitive details.
  • Fiction reading habits can reveal sensitive personal information including relationship struggles, trauma, mental health issues, and sexuality preferences.
  • Affected users should immediately change passwords, enable multi-factor authentication, and monitor accounts for suspicious activity.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.

Cybernews researchers uncovered an exposed Elasticsearch cluster leaking more than 101 million user records from some of the internet’s most popular hubs for user-generated stories, fan fiction, and paid serials.

ADVERTISEMENT

A massive backend database held more than 1.5TB of unencrypted data and was sitting on the open internet with zero authentication.

This type of misconfiguration is one of the most common causes of catastrophic data leaks on the modern internet, with many companies falling victim to it.

Among those affected are users of fiction-lover apps such as GoodNovel and Webfic, with both apps having multi‑million installs on Android.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

The apps have strong audiences in the US, UK, Canada, Australia, and large English-reading communities in South and Southeast Asia, parts of the Middle East, and Africa.

The platforms are also popular with indie and aspiring authors worldwide, as they lower the entry bar to the publishing world. Authors, unfortunately, have also been affected by the leak.

The exposed cluster revealed a highly sensitive dataset containing 257,663 author records, pulled from the backend system used to handle contributor applications, contracts, and editorial workflows across the platforms.

What readers’ data was leaked?

ADVERTISEMENT
  • Emails
  • Full names
  • Password hashes (md5)
  • Phone numbers
  • Gender
  • Device metadata
  • Reading history
  • Bookshelf activity
  • Interaction logs
  • Behavioral analytics
Android flaw
Image by Cybernews.

What author data has been leaked?

  • Email
  • Real name
  • Pseudonym
  • Full address, including city, ZIP code, and state or country
  • Personal ID number and direct S3-style path to uploaded ID card image
  • Age and nationality declarations
  • Book information, including book title, status, genre, planned chapters, and writing status
  • Editorial metadata, including editor name and reviewer identifiers tied to the publishing workflow
  • Platform contract details, including contract type, status, buyout fee, payment structures, and profit share parameters
  • Narrative outline, including detailed book synopses, often in raw text format with explicit plot content, as part of their application or contract submission
  • Sensitive contract metadata, including profit-sharing models and editorial evaluations in plain text

Readers and writers at risk

For readers, the leak is a serious interference with their privacy. Fiction apps are the silent witnesses of the readers' intimate information.

Readership activities may suggest that a user is having relationship struggles, going through trauma, and mental health issues. And, in some cases, it may reveal sexuality.

When this kind of data is cross-referenced with identity markers, device data, and behavioral logs, it can become a powerful profiling tool for malicious actors.

For authors, the impact is even more severe. Many had their government IDs, contracts, payment structures, and manuscript outlines spilled into the open internet.

Has my data been leaked?
Check Now
ADVERTISEMENT

This could expose them to identity theft, financial fraud, or intellectual property theft.

Authors from around the world, including those in the US, were part of the leaked dataset. The geographical range of the affected raises huge compliance concerns for the platforms handling the personal data of international contributors.

Cybernews researchers advise all GoodNovel and Webfic users to change passwords and enable multi-factor authentication. They should also monitor their emails for phishing attempts and suspicious login activity.

Authors who have provided identity documents should consider updating their passwords and enabling multi-factor authentication.

It is recommended that authors regularly monitor their financial accounts for any irregularities. To mitigate the risks completely, it is a good idea to sign up for credit monitoring services to instantly detect any attempts at identity theft.

android malware
Image by Cybernews.

Who is responsible for the data leak?

Tracing back the ones responsible for the leak has been complicated. The apps are developed by different companies. The developer of the GoodNovel app is SINGAPORE NEW READING TECHNOLOGY PTE. LTD, while the Webfic app was created by DIANZHONG TECHNOLOGY SINGAPORE PTE. LTD.

The fact that both of the apps' data have been leaked from the same source suggests that a third-party provider or parent company might be responsible for not securing the cluster.

The affected server had some references to Sensors Software Pte Ltd, an analytics company registered in Singapore. Cybernews has reached out to the Singaporean CERT for assistance.

ADVERTISEMENT

After initial contact with CERT, the data was secured. According to communications from Sensors Software Pte Ltd, forwarded by the Singapore CERT, the server belonged to one of their customers, but our journalists were unable to identify it.

Cybernews journalists reached out to the affected companies for a comment, but no response was received.

Disclosure timeline

  • Initial disclosure: June 3rd, 2025
  • Disclosure to GoodNovel and Webfic: October 1st, 2025
  • CERT contacted: October 9th, 2025
  • Leak closed: November 6th, 2025

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Meta has quietly shipped the technology needed for facial recognition glasses
Hackers getting an easy ride: misconfigured cloud settings behind growing number of data breaches
Anthropic claims AI is too fast and needs to hit the brakes: let’s take it with a pinch of salt
US lawmakers push new bill on AI safety, state law limits, worker protections
Pewdiepie declares war on big tech following the release of his free and local AI workspace
California tech CEO busted for selling forbidden US technology to Iran’s nuclear agency
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked