Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

AI Image Editing Tool Cutout Leaked User Images and Data

Cutout, a popular AI image editing tool, suffered a data breach that exposed user images, usernames, and email addresses. The incident underscores the risks of using cloud-based AI tools for sensitive data., a web-based AI image editing tool, was caught leaking 9GB worth of user data, which included usernames and images requested by using specific queries.

The discovery was made by Cybernews, who found an open ElasticSearch instance containing 22 million log entries referencing usernames, including individual users and business accounts.

However, since log entries contained duplicates, the total number of users affected is unclear. The instance also had information on the number of user credits, a virtual in-game currency, and links to Amazon S3 buckets, where generated images were stored.

This should not come as surprise since the use of AI-powered tools have skyrocketed. This is precisely due to the massive success of ChatGPT. So much so that Google was forced to release its own AI tool called Bard AI.

AI Image Generator and Editor Leaks User Images and Data
The exposed Elasticsearch cluster (Image: CyberNews)

The Hong Kong-based visual design platform allows users to manipulate photos or generate images using an AI-based application programming interface (API). This functionality enables the integration of the company’s services into third-party apps.

As noted by researchers, has self-reported statistics of over 300 million API requests, 4,000 requests per second from over 5,000 applications and websites, and partnerships with over 25,000 businesses.

Therefore, the consequent impact of the leak is likely to be devastating for the customers whose data was exposed in the leak. According to the Cybernews report, their team also found two image editing apps in the open database: Vivid and AYAYA.

“If’s developers previously didn’t back up the data, the open instance could have led not only to the temporary denial of service but a permanent data loss that was stored on the open instance. Attackers could have wiped it out.”

Cyber News

Due to not being properly configured, the open instance could have been exploited by threat actors in multiple ways. The Cybernews team surmised that anyone could have performed CRUD (Create, Read, Update, and Delete) operations.

Attackers could have used the initial access point to enter the database, take control of the data, and pass it through’s API, thus carrying out a dangerous supply chain attack on the company’s customers.

Misconfigured Databases – Threat to Privacy

As we know, misconfigured or unsecured databases have become a major privacy threat to companies and unsuspecting users. In 2020, researchers identified over 10,000 unsecured databases that exposed more than 10 billion (10,463,315,645) records to public access without any security authentication.

In 2021, the number of exposed databases increased to 399,200. The top 10 countries with the most database leaks due to misconfiguration in 2021 included the following:

  • USA – 93,685 databases
  • China – 54,764 databases
  • Germany – 11,177 databases
  • France – 9,723 databases
  • India – 6,545 databases
  • Singapore – 5,882 databases
  • Hong Kong – 5,563 databases
  • Russia – 5,493 databases
  • Japan – 4,427 databases
  • Italy – 4,242 databases
  1. How AI-Powered Tools Spark Creativity
  2. Healthcare Firm ‘Doctors Me’ leaked Patient images
  3. Plastic surgery tech firm leaks images of 100k+ users
  4. New scam uses AI-generated images to fake law firm
  5. Breast Cancer Charity Exposed Images of U.S. Patients


I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Related News

New Backdoor Attack Uses Russian-Ukrainian Conflict Phishing Emails

New Backdoor Attack Uses Russian-Ukrainian Conflict Phishing Emails

The primary targets of this phishing campaign are located in the Ukrainian regions of Crimea, Donetsk, and Lugansk, which were…
CyberSecure Announces Strategic Alliance

CyberSecure Announces Strategic Alliance

BETHESDA, Md., March 24, 2023 /PRNewswire/ — Cybersecure IPS and LockDown Inc. jointly announce that they have entered a strategic alliance to…
Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

Researchers from France-based pen-testing firm Synacktiv demonstrated two separate exploits against the Tesla Model 3 this week at the Pwn2Own…