In a concerning development for Android users, two popular applications developed by Codeway have been found to leak extensive amounts of user data, potentially affecting millions globally. The incidents, stemming from configuration errors in Google Cloud services, exposed not only creative content like images and videos but also highly sensitive personal information.
The first app, Video AI Art Generator & Maker, had accumulated over 12 terabytes of data—comprising 1.5 million images and nearly 400,000 videos—before the breach was discovered. This data, generated by users for artistic purposes, was left publicly accessible due to improperly secured cloud storage settings. The app, which had been available on Google Play since mid-2023, has since been removed from the store following reports of the vulnerability.
Simultaneously, another Codeway application, IDMerit, designed for identity verification processes, was found to expose a broad range of personal data. This included full names, home addresses, postal codes, dates of birth, ID card numbers, telephone numbers, gender information, email addresses, and additional metadata linked to users in the U.S. and 25 other countries. Such details pose significant risks for identity theft and targeted phishing campaigns.
Key Points
- The Video AI Art Generator app leaked over 12 TB of user-generated images and videos due to a Google Cloud configuration error.
- IDMerit, used for identity verification, exposed sensitive personal information including names, addresses, ID numbers, and more.
- Affected users are advised to uninstall all Codeway apps immediately and monitor communications for potential phishing attempts.
Security researchers emphasize that while Google Play performs app reviews, developers retain ultimate responsibility for security. Users should exercise caution when installing new applications, particularly those with large or rapidly growing user bases. Reviewing developer track records, scrutinizing requested device permissions, and looking for trust indicators—such as verified developer badges—can help mitigate risks.
Both apps in question have been removed from the Google Play Store, but users who previously installed them may still be at risk. The leaked content, though AI-generated in one case, could contain private or sensitive material that was unintentionally shared. As a precaution, affected individuals should also enable multi-factor authentication on critical accounts and avoid engaging with suspicious messages or requests.
This incident serves as a reminder of the importance of vigilance in digital security, even when using seemingly innocuous applications. Developers are encouraged to prioritize robust security measures during app development and deployment, while users should remain proactive in protecting their personal data.
