ExpressVPN Uncovers Massive AI Data Leak: 3.7M Records Exposed in Plain Sight

A recent investigation published by ExpressVPN has uncovered a staggering 3.7 million pieces of private user data that were made publicly accessible — not through a sophisticated hack, but simply because basic security measures like password protection and encryption were never put in place.

Conducted by cybersecurity researcher Jeremiah Fowler, the report revealed that massive amounts of customer data had been leaked from AI-powered chatbots used by retailers for customer service purposes — a sobering reminder of how vulnerable personal information can be when companies fail to take adequate precautions.

The Findings

Fowler discovered three separate publicly accessible databases that were neither password-protected nor encrypted. Together, they contained 3.7 million records, including sensitive personal data such as email addresses, home addresses, and phone numbers.

The scale of the exposure is difficult to overstate. Even an initial sampling of the data included:

  • 1,422,577 audio recordings of customers
  • Text transcripts totalling 3.9TB
  • 207,381 Excel files
  • Audio recordings totalling 415.2GB

Among the exposed files were 54,359 complete transcripts of customer conversations with AI chatbots, along with their corresponding audio recordings, belonging to Sears Home Services — a US retail and repair business that uses AI chatbots in both English and Spanish to automate scheduling, phone calls, and online chats.

Fowler also noted a particularly concerning detail: the system continued to record audio even if a customer had not properly hung up, meaning some files contained up to four hours of background conversation and significant amounts of biometric voice data.

Why This Matters

While public access to the data was restricted after Fowler sent a responsible disclosure notification to Sears Home Services’ parent company, Transformco, the implications remain deeply troubling.

With AI-driven automation now capable of storing enormous volumes of highly sensitive data, the risk of irresponsible data handling is growing. This is especially alarming given that deepfake-enabled fraud losses are forecast to reach US $40 billion by 2027. Such a vast trove of data could allow bad actors to link identities or replicate users’ digital profiles for criminal purposes.

Importantly, tools like VPNs — while excellent for protecting your privacy while browsing or streaming — cannot protect you when the weak link is the very company to which you have voluntarily entrusted your data via chatbots or other apps.

How to Stay Safe

ExpressVPN urges users to remain vigilant and offers the following practical advice:

  1. Use strong, unique passwords for all accounts and services.
  2. Be cautious with unsolicited communications — whether emails, texts, or phone calls — that reference information you may have previously shared with a company.
  3. With the rise of voice cloning scams, consider agreeing on a safe word or password with close family and friends to verify identity in the unlikely event you receive a suspicious call asking for money or assistance.
  4. Take extra precautions in sensitive situations, and be mindful of what personal information you share with AI-powered services.

This investigation serves as a stark reminder that even the most tech-savvy users can be exposed to significant risk when the companies they interact with fail to implement basic security standards. Staying informed and proactive about your digital privacy has never been more important.

Related Articles

Back to top button