Cybersecurity researcher Jeremiah Fowler uncovered a major data leak involving an AI image generator tool, and he shared the findings with ExpressVPN in an effort to promote public awareness and online safety.
The leak involved an unprotected database containing more than one million files. According to Fowler, the database was not secured by a password or encryption, meaning anyone with an internet connection could have accessed it.
In a small portion of the files he reviewed only for verification, most appeared to be explicit AI-generated content. Some involved face-swapping technology, and others seemed to include real people who may not have known their images were being used. A number of these files also appeared to depict very young individuals, which made the situation especially concerning.
Details inside the database pointed to a company called SocialBook, a Silicon Valley business offering tools for influencers and marketers. Further investigation revealed that the exposed content was connected to MagicEdit, an AI image-generation service listed in Apple’s App Store under the developer BoostInsider Inc. Although the exact ownership relationships between these companies are unclear, they appear to operate closely together across multiple locations.
After Fowler confirmed the source of the data, he immediately sent a responsible disclosure notice. The company responded quickly, restricted access to the database, and began an internal investigation. It is unknown how long the data remained exposed or whether anyone else accessed it before the issue was fixed. Around the time the report was being prepared, the MagicEdit website and apps were taken offline.
MagicEdit promoted itself as an AI platform capable of transforming text prompts into images, generating adult-themed content, performing face swaps, and removing backgrounds. The app was intended for users 18 and older, and it offered various artistic styles alongside subscription-based features. However, because the database was exposed, it was possible for anyone to view all users’ generated images, raising major concerns about privacy and data handling.
Fowler explained that the leaked content included material involving very young individuals or combinations of adult faces placed onto younger bodies. Even though he used heavy redaction in the screenshots he documented, the presence of such material in the database highlights how easily AI tools can be misused. Some images also looked like real reference photos, suggesting that people might have uploaded pictures of others without consent.
AI tools that allow face swapping or the creation of intimate images without permission bring up serious ethical, privacy, and legal issues. Nonconsensual deepfake content is a growing problem, and studies suggest that most deepfakes online are adult content involving people who did not agree to be depicted. Laws are still catching up with the rapid growth of this technology.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
MagicEdit’s terms of service mentioned that user accounts could be terminated for uploading adult content, but there was no clear policy addressing nonconsensual material or content involving minors. The company’s privacy policy also stated that user-facing data would not be stored in the cloud, yet the exposed database suggested inconsistencies in how data was handled. It is unclear whether the database was directly controlled by MagicEdit or a third-party contractor.
