An AI Chat App Leaked 300 Million Private Messages
Because Nobody Locked The Database.

The most dangerous AI failures are rarely the cinematic ones. There was no hacker, no ransom note, no zero-day exploit in this story. Chat and Ask AI, a popular assistant app from the developer Codeway with more than 50 million downloads, simply stored its users' conversations in a cloud database that was configured to let the public read it. Anyone who knew the project address could pull user files containing entire chat histories, the models people used, and their settings, without ever logging in. The lock was not picked. It was never engaged.

That is what makes it worth documenting here, where we track the gap between how AI products are marketed and how they actually behave. These apps invite you to type your most unguarded thoughts into a text box. People treat a chatbot like a private journal, a therapist, a confessional, a place to ask the questions they would never ask another human. Codeway's app collected all of that and then left the back door of the filing cabinet open to the street. The number that should stop you is not just the 300 million messages. It is the roughly 25 million people who never knew any of it was exposed.

What Was Exposed, And Why It Was So Sensitive

The exposed data was not metadata or anonymized analytics. According to the security researcher who found it, the open database held user files containing their entire chat history, the models they had used, and other settings. In other words, the full text of what people had typed. And because this is a general-purpose AI assistant, the contents ran the full range of what humans actually ask machines in private. The researcher noted that the messages included discussions of illegal activity and, more disturbingly, requests for help related to suicide.

Sit with that for a second. The single most sensitive category of message a person can send, a moment of genuine crisis typed into an app at 3 a.m. because it felt safer than calling a person, was sitting in a database that anyone on the internet could read. This is the part the marketing never mentions. The pitch is convenience and intimacy, a companion that is always available and never judges. The reality is that the intimacy is being written to a server whose security is only as good as one configuration setting that, in this case, was never set.

The Cause Was One Setting Left On Public

The technical root cause is almost insultingly simple, which is exactly why it keeps happening. The app's data lived in Firebase, Google's popular backend platform that lets small teams ship apps fast without standing up their own servers. Firebase protects data through Security Rules, and one of the most common ways developers get it wrong is leaving those rules set to public. As the disclosure put it, public rules allow anyone with the project URL to read, modify, or delete data without authentication. The convenience that lets a tiny studio launch an app with tens of millions of users is the same convenience that lets a single default expose all of them.

There was no clever attack involved. The researcher, who went by Harry, did not break anything. He found a door that was standing open, the way thousands of these doors stand open across the app stores. To Codeway's credit, the company reportedly resolved the issue across all of its apps within hours of responsible disclosure, which is the right response and a faster one than many firms manage. But the fix being fast does not undo the exposure. Once data has been readable to the public for an unknown period, you cannot prove who did or did not copy it, and you cannot un-leak a suicide-related message.

This Is Not One App. It Is The Whole Category.

If this were a single sloppy developer, it would be a footnote. It is not. After finding the flaw, the researcher built a scanning tool and a registry, and the results reframe the whole story. Out of 200 iOS apps he scanned, 103 had the same public-database misconfiguration, collectively exposing tens of millions of stored files. More than half. That is not a bad apple, it is an industry-wide default failure, and it maps almost perfectly onto the gold rush of AI companion and assistant apps that have flooded the stores over the past two years, built fast, monetized hard, and secured as an afterthought.

We have watched this same pattern in other corners of the AI economy. The rush to ship outran the discipline to verify when a flaw in Meta's Instagram AI chatbot exposed roughly 20,000 accounts to takeover, and the rush to deploy outran basic safety review when ChatGPT Health failed emergency and suicide-safety tests in a Mount Sinai study. The Chat and Ask AI leak is the data-storage version of the identical disease: products that ask for maximum trust while building on minimum care. The user is asked to be intimate. The vendor is not asked to be careful.

What You Should Actually Take From This

The practical lesson is not complicated, even if it is uncomfortable. Treat anything you type into a consumer AI app as if it could become public, because the evidence keeps showing that it can. The companies behind these apps are frequently small studios optimizing for downloads and retention, not security teams hardened by years of handling sensitive data. The privacy policy may promise the world, but a promise in a policy does not change a setting in a database, and it was a setting in a database that failed 25 million people here.

The broader point is the one this site keeps returning to. The AI industry has trained the public to confide in software faster than it has built the infrastructure to deserve that confidence. A chatbot that feels private and a chatbot that is private are two completely different things, and the gap between them is measured in default configurations, contractor incentives, and how many corners got cut to make launch day. Until that gap closes, the most honest privacy setting for any AI confession is to assume there isn't one.

Has an AI app leaked, lost, or misused data you trusted it with? Tell us what happened.