A massive data leak tied to two AI-powered applications has exposed more than 120 crore KYC records and over 20 crore private photos and videos, according to findings by cybersecurity researchers. The incident has reignited concerns around how fast-growing AI apps collect, store, and secure deeply sensitive personal data.
The breach was uncovered by researchers at Cybernews, who found unsecured databases linked to the apps that were openly accessible online. The exposed data included government-issued identity documents, full names, phone numbers, email addresses, physical addresses, and private media uploaded by users. In several cases, the records were linked in ways that made it possible to match identity documents with personal images and contact details.
The researchers said the data belonged to users across at least 26 countries, with the highest concentration coming from the United States. Other affected regions included parts of Europe, Asia, and Latin America, suggesting that the apps had a wide global footprint. While the databases were reportedly taken down after disclosure, there is no clear way to confirm whether the information was accessed or copied by malicious actors before that.
What makes this leak particularly alarming is the nature of the data involved. KYC records are not just usernames or passwords. They often include passports, driving licences, selfies used for identity verification, and other documents that are extremely difficult, if not impossible, to replace. Once such information is exposed, the risks can linger for years in the form of identity theft, financial fraud, impersonation, or targeted scams.
The apps involved relied on AI features that required users to upload identity documents and personal images, either for verification or for content generation. Cybernews researchers noted that the databases lacked even basic protections such as password authentication, a lapse that points to poor security practices rather than a sophisticated cyberattack. This distinction matters because it suggests the exposure was preventable.
The companies behind the apps have not publicly detailed how long the databases were exposed or how many users have been notified. That silence adds to a broader concern around accountability in the AI app ecosystem, where products often scale faster than their security frameworks.
Regulators in several countries already require stricter handling of KYC data, but enforcement varies widely. This incident highlights the gap between regulation
on paper and real-world data practices. For users, it is a reminder that uploading identity documents to apps, especially newer AI platforms, comes with risks that are rarely spelled out clearly at signup.
As AI tools continue to push deeper into areas involving identity, finance, and personal data, this leak serves as a stark warning. Innovation may be moving fast, but basic data hygiene is still non-negotiable.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
