In early February 2026, a massive privacy failure rocked the world of AI chat applications: a widely used mobile chatbot app left its entire backend database publicly accessible due to a Firebase misconfiguration, exposing roughly 300 million private messages belonging to about 25 million users. What makes this event especially concerning isn’t a sophisticated hack — it’s that a simple developer oversight turned private user data into public visibility.

What Happened?

The data leak originated in Chat & Ask AI, a popular mobile application with over 50 million downloads across Android and iOS platforms. The app acts as a front-end “wrapper” to multiple large language models (LLMs) — letting users interact with systems such as OpenAI’s ChatGPT, Anthropic’s Claude, and Google’s Gemini through a single interface.

An independent security researcher, known only as “Harry,” discovered that the app’s underlying cloud database — hosted on Google Firebase, a Backend-as-a-Service (BaaS) platform — was configured in a way that allowed unauthenticated access to backend data. Instead of enforcing authentication and restrictive access policies, the Firebase Security Rules were inadvertently set to allow public reads and writes, effectively leaving the database wide open.

This wasn’t an exploit in the traditional sense. There was no brute-force or zero-day attack — it was simply a case of improperly configured access controls, a well-documented and preventable cloud security mistake.

Scope of the Exposure

Because the database was unsecured, anyone with a basic understanding of Firebase and the project’s API endpoints could directly access the stored data. The researcher was able to read, and potentially modify, all records in the database, including:

• Users’ complete chat histories and conversation transcripts
• Custom names given to AI bots
• Model selection data (which LLM was used per session)
• Timestamps and settings associated with each conversation
• Related internal metadata tied to specific user accounts

The massive volume of data — 300 million messages from ≈ 25 million users — included deeply personal and sensitive content. Analysis of samples revealed prompts concerning mental health struggles, medical questions, illegal activities, and other intimate subjects users likely assumed were private.

Why Misconfigured Firebase Is So Dangerous

Firebase is a popular choice among developers because it provides scalable database services with minimal setup. However, its convenience comes with responsibility: default settings are often permissive unless developers explicitly lock them down. Key factors in the incident include:

1. Public Security Rules – Security Rules intended to protect data were left in a misconfigured state, granting everyone read/write access.
2. Lack of Access Controls – No authentication checks were required to access sensitive tables storing chat logs.
3. Absence of Monitoring and Alerts – A robust security posture usually includes automated alerts when databases are exposed, which was apparently missing here.

Misconfigurations like these are not unique to Chat & Ask AI — historical analyses have found thousands of apps with similar Firebase weaknesses, leaking email addresses, personal data, and location information simply because database access controls were improperly set.

Responsible Disclosure and Remediation

After identifying the vulnerability, the researcher disclosed it privately to the app’s developer Codeway on January 20, 2026. According to multiple sources, the misconfiguration was fixed within hours across all applications linked to the same backend.

Despite the rapid patch, there’s no way to determine how long the misconfiguration existed before it was detected, or whether anyone else accessed and copied the exposed data. Once information has been exposed online, it cannot truly be retracted.

Lessons and Takeaways for Developers

This incident underscores a crucial lesson for any team building AI-powered applications:

1. Treat Security Rules as Code

Access control policies must be versioned, reviewed, and tested just like application logic. Tools like Firebase Emulators and automated compliance tests can help validate that rules enforce the intended security posture before deployment.

2. Don’t Trust Defaults

Managed services come with defaults that may be permissive. Developers must assume default configurations are insecure, especially for production systems handling sensitive data.

3. Audit and Monitoring

Continuous scanning tools that check for exposed databases or misconfigurations can catch security flaws before they go live. Public scanning (e.g., searching for unsecured endpoints) should be part of the release checklist.

4. User Awareness

Users of chat platforms should assume that data shared with AI services may be logged and stored — and should avoid sharing highly sensitive personal information unless absolutely necessary.

Why This Matters

AI chat applications are rapidly becoming integrated into daily workflows, therapy settings, and knowledge work. Users often treat conversations with generative AI as private, even confidential — revealing thoughts, emotions, health information, and professional data they wouldn’t publicly post elsewhere.

A security failure like this does more than leak data; it betrays user trust and highlights how traditional app security mistakes can be amplified in the context of AI. Developers building on cloud services must recognize that backend infrastructure decisions are as critical as the AI models themselves.