An AI image generator startup left more than 1 million images and videos created with its systems exposed and accessible to anyone online, according to new research reviewed by WIRED. The “overwhelming majority” of the images involved nudity and were “depicted adult content,” according to the researcher who uncovered the exposed trove of data, with some appearing to depict children or the faces of children swapped onto the AI-generated bodies of nude adults.
Multiple websites—including MagicEdit and DreamPal—all appeared to be using the same unsecured database, says security researcher Jeremiah Fowler, who discovered the security flaw in October. At the time, Fowler says, around 10,000 new images were being added to the database every day. Indicating how people may have been using the image-generation and editing tools, these images included “unaltered” photos of real people who may have been nonconsensually “nudified,” or had their faces swapped onto other, naked bodies.
“The real issue is just innocent people, and especially underage people, having their images used without their consent to make sexual content,” says Fowler, a prolific hunter of exposed databases, who published the findings on the ExpressVPN blog. Fowler says it is the third misconfigured AI-image-generation database he has found accessible online this year—with all of them appearing to contain nonconsensual explicit imagery, including those of young people and children.
Fowler’s findings come as AI-image-generation tools continue to be used to maliciously create explicit imagery of people. An enormous ecosystem of “nudify” services, which are used by millions of people and make millions of dollars per year, uses AI to “strip” the clothes off of people—almost entirely women—in photos. Photos stolen from social media can be edited in just a couple of clicks: leading to the harrowing abuse and harassment of women. Meanwhile, reports of criminals using AI to create child sexual abuse material, which covers a range of indecent images involving children, have doubled over the past year.
“We take these concerns extremely seriously,” says a spokesperson for a startup called DreamX, which operates MagicEdit and DreamPal. The spokesperson says that an influencer marketing firm linked to the database, called SocialBook, is run “by a separate legal entity and is not involved” in the operation of other sites. “These entities share some historical relationships through founders and legacy assets, but they operate independently with separate product lines,” the spokesperson says.
“SocialBook is not connected to the database you referenced, does not use this storage, and was not involved in its operation or management at any time,” a SocialBook spokesperson tells WIRED. “The images referenced were not generated, processed, or stored by SocialBook’s systems. SocialBook operates independently and has no role in the infrastructure described.”
