New security research repository Firehound uncovered widespread data leaks affecting millions of iPhone users who downloaded AI-powered apps from the App Store.
If you’ve downloaded AI apps lately, as millions of others have, you might want to check to see if they made Firehound’s list.
Firehound exposes AI apps leaking user data
The Firehound project, led by security researchers at CovertLabs, identified 198 iOS apps that expose sensitive user data through improperly secured databases and cloud storage, according to X.com user @vxunderground, who highlighted the list Monday. Of these iOS apps, 196 actively leak user information, according to Firehound.
Those aren’t huge numbers in the greater scheme of things, but the potential scale of the problem is alarming. The worst offender, an app called Chat & Ask AI, reportedly exposed more than 406 million records from more than 18 million users. According to security researcher @Harrris0n, who created the Firehound repository, this includes the complete chat histories of millions of users, totaling about 380 million messages.
Given the personal and often sensitive nature of queries people pose to AI chatbots, the exposure represents a significant privacy breach.
“It’s time developers are held accountable for their shoddy work,” said @Harrris0n. “It will be interesting to see how @Apple and @Google respond.”
Who’s affected and what’s at risk
It's the slopocalypse.
OSINT nerd @Harrris0n has created "Firehound". He (or others, I don't know) have begun the daunting task of hunting AI slop in the Apple app store.
They have identified (as of this writing) 198 iOS apps which leak information on users (in some capacity).…
— vx-underground (@vxunderground) January 19, 2026
While AI-related apps dominate Firehound’s rankings, the security issues span multiple categories, including education, entertainment, graphics and design, health and fitness, lifestyle and social networking apps.
The exposed data varies by app but commonly includes user names, email addresses and chat histories. Many of these apps have hundreds of thousands of App Store reviews, indicating widespread use among iOS users.
A cautious approach to disclosure
Firehound limits public access to the most sensitive information and requires users to register for detailed scan results. Access requests are manually reviewed, with priority given to journalists, law enforcement and security professionals.
The project also offers a responsible disclosure pathway. It invites affected app developers to contact the team for guidance on fixing security vulnerabilities and having their apps removed from the public listing.
Firehound exposes AI apps leaking user data: What it means for iPhone users
This discovery serves as a reminder to be selective about which apps you install and what information you share with them. Even apps with high user ratings and large download numbers can have fundamental security flaws that put your data at risk.
Security experts recommend being particularly cautious with lesser-known AI chatbot services. They might lack the robust security infrastructure of major platforms, even though they handle equally sensitive information.
David Snow, an expert on Apple hardware and software, writes on a variety of technological and cultural topics for Cult of Mac. They include Apple news, technology buying guides, and features about computer setups and Apple TV shows and movies.
With 30 years of experience covering technology and other subjects, he has written and edited for numerous print and online publications, including CMP Media, TechTV.com, CNET, Wired News, Red Herring magazine, Law.com, The National Law Journal and Law Technology News magazine. Among other roles, he served as executive editor of the Law.com network of websites and editorial director, technology, for ALM Media.
Snow graduated with a B.A. from Syracuse University with majors in magazine journalism and psychology. While there, he worked as a reporter for The Daily Orange newspaper and associate editor of Equal Time magazine.
Founder of the blog At the Waterline, he can be reached on X (formerly Twitter) via @atthewaterline and on Mastodon via @dsnow.
