What Happened
The AI girlfriend service Muah.ai was hacked, spilling a database that tied user email addresses (many with real names) to their chatbot prompts and AI image prompts. Many prompts were sexually explicit, and disturbingly some described child sexual abuse scenarios. The attacker characterized the platform's backend as loosely assembled open-source projects requiring little sophistication to breach.
Impact
Around 1.9 million email addresses were exposed alongside deeply sensitive personal prompts, creating severe privacy, blackmail, and legal exposure for users. Reporting indicated the leaked data was subsequently used in active extortion attempts.
How to Prevent This
- Encrypt sensitive user content at rest and minimize retention of intimate conversation data
- Harden and pen-test backend infrastructure rather than shipping loosely assembled components
- Decouple personal identifiers from behavioral/prompt data to limit blast radius of a breach
- Implement content safeguards and reporting for illegal material such as CSAM
- Apply strong access controls, monitoring, and breach-detection on all user data stores