PrivacyHigh

Chatbot Provider WotNot Exposed 346,000 Files Including Passports and Medical Records

WotNot

What Happened

Cybernews researchers found that AI chatbot vendor WotNot had left a misconfigured Google Cloud Storage bucket open to the internet with no password. The 346,381 exposed files included passport and national ID scans, medical records, resumes, and travel documents belonging to free-tier customers' end users. WotNot said the bucket policy had been changed for a specific use case and that it failed to verify the resulting public accessibility.

Impact

The trove gave anyone on the internet a ready-made kit for identity theft, medical fraud, and other scams. The company took more than two months to close the hole after researchers first reached out.

How to Prevent This

  • Default cloud storage buckets to private and block public access at the org policy level
  • Verify accessibility after any bucket-policy change with automated checks
  • Encrypt sensitive documents and apply least-privilege access controls
  • Monitor for publicly exposed storage using continuous cloud-posture scanning
  • Maintain a monitored security contact so disclosures are actioned quickly

Don't Let Your Company Be the Next Case Study

Take our 2-minute quiz to identify your AI risks before they become failures.

Assess Your AI Risks Now →

Most teams can't — find out in 2 minutes

Real AI failures analyzed • Free 2-minute assessment