Cutout, a popular AI image editing tool, suffered a data breach that exposed user images, usernames, and email addresses. The incident underscores the risks of using cloud-based AI tools for sensitive data.
Cutout.pro, a web-based AI image editing tool, was caught leaking 9GB worth of user data, which included usernames and images requested by using specific queries.
The discovery was made by Cybernews, who found an open ElasticSearch instance containing 22 million log entries referencing usernames, including individual users and business accounts.
However, since log entries contained duplicates, the total number of users affected is unclear. The instance also had information on the number of user credits, a virtual in-game currency, and links to Amazon S3 buckets, where generated images were stored.
This should not come as surprise since the use of AI-powered tools have skyrocketed. This is precisely due to the massive success of ChatGPT. So much so that Google was forced to release its own AI tool called Bard AI.
The Hong Kong-based visual design platform allows users to manipulate photos or generate images using an AI-based application programming interface (API). This functionality enables the integration of the company’s services into third-party apps.
As noted by researchers, Cutout.pro has self-reported statistics of over 300 million API requests, 4,000 requests per second from over 5,000 applications and websites, and partnerships with over 25,000 businesses.
Therefore, the consequent impact of the leak is likely to be devastating for the customers whose data was exposed in the leak. According to the Cybernews report, their team also found two image editing apps in the open database: Vivid and AYAYA.
“If Cutout.pro’s developers previously didn’t back up the data, the open instance could have led not only to the temporary denial of service but a permanent data loss that was stored on the open instance. Attackers could have wiped it out.”
Due to not being properly configured, the open instance could have been exploited by threat actors in multiple ways. The Cybernews team surmised that anyone could have performed CRUD (Create, Read, Update, and Delete) operations.
Attackers could have used the initial access point to enter the database, take control of the data, and pass it through Cutout.pro’s API, thus carrying out a dangerous supply chain attack on the company’s customers.
Misconfigured Databases – Threat to Privacy
As we know, misconfigured or unsecured databases have become a major privacy threat to companies and unsuspecting users. In 2020, researchers identified over 10,000 unsecured databases that exposed more than 10 billion (10,463,315,645) records to public access without any security authentication.
In 2021, the number of exposed databases increased to 399,200. The top 10 countries with the most database leaks due to misconfiguration in 2021 included the following:
- USA – 93,685 databases
- China – 54,764 databases
- Germany – 11,177 databases
- France – 9,723 databases
- India – 6,545 databases
- Singapore – 5,882 databases
- Hong Kong – 5,563 databases
- Russia – 5,493 databases
- Japan – 4,427 databases
- Italy – 4,242 databases