AI Image generator MagicEdit leaks over 1 million images, mostly explicit via unsecured database

Cybersecurity researcher Jeremiah Fowler is reportin a data leak of data processed by MagicEdit, an AI-powered image generation platform. The leak exposed over 1 million user-generated images and videos. 

The exposed database, which was not password-protected or encrypted, contained 1,099,985 records. Fowler immediately sent a responsible disclosure notice to the affected companies, and the database was subsequently restricted from public access. 

The leak exposed a troubling use case of AI image generation technology. In a limited sample review conducted as part of the investigation, nearly all observed files were pornographic images, including AI-generated or manipulated portrayals that appeared to depict very young individuals. The exposed data included:

• AI-generated pornographic images depicting adult content
• Face-swapped images combining faces of adults and young individuals on AI-generated bodies
• What appeared to be AI-generated images of minors or underage individuals
• Unaltered images of real individuals, possibly uploaded as reference photos without consent
• User-generated content from MagicEdit's text-to-image and face-swap features
• Images with internal watermarks indicating ownership by SocialBook

The number of affected real individuals is not clear. The duration of the exposure has not been disclosed.

The ownership structure of the database revealed a complex web of affiliated entities: 

1. Internal watermarks and database naming indicated the data belonged to SocialBook, a Silicon Valley-based company offering services for influencers and marketing, including AI image and content-generation tools.
2. MagicEdit appeared to operate under the domain MagicEdit.app and was listed in Apple's App Store with BoostInsider Inc. as the developer, while app support pointed to socialbook.io.
3. A company called DreamX subsequently claimed to operate both MagicEdit and another platform called DreamPal, which allegedly used the same unsecured database.
4. According to LinkedIn, BoostInsider maintained offices in California, Beijing, Chengdu, and Shenzhen. 

Following the disclosure, a DreamX spokesperson stated they take the concerns extremely seriously and launched a full investigation with external legal counsel, while SocialBook representatives claimed they operated independently and were not involved in the database's operation or management. 

After the disclosure, both MagicEdit and DreamPal websites became inaccessible, displaying messages indicating temporary suspension of services as part of a broader restructuring of product lines and infrastructure. The apps were removed from both Apple's App Store and Google's Play Store.