Codeway AI Chat App Leak Exposes 300 Million Messages Due to Firebase Misconfiguration
Learn More
Codeway, a mobile software developer based in Turkey, experienced a massive data leak affecting its "Chat & Ask AI" application and several other apps in its portfolio.
An independent security researcher discovered the leak, which was caused by an unsecured database containing approximately 300 million messages belonging to 25 million users. The incident was publicly reported following the researcher's discovery of the open backend infrastructure.
The Google Firebase was set up with Security Rules set to public. This setting allows any individual with the project URL to read, modify, or delete data without any authentication.
The exposed data includes:
- 300 million chat messages
- User files and attachments
- Complete chat histories
- LLM model preferences and app settings
- Metadata from other Codeway applications
The number of affected individuals is 25,000,000.
Codeway secured its backend infrastructure within hours of being notified. The researcher subsequently removed the company's apps from the Firehound registry, a public database used to track vulnerable applications.
The company has not issued a broad public statement regarding direct user notification or long-term remediation plans.
