TL;DR: Chat & Ask AI, a popular AI chatbot wrapper with 50 million downloads across the App Store and Google Play, left its Google Firebase backend misconfigured so that anyone could access its entire database. A security researcher found 300 million private messages from 25 million users sitting in the open. Those messages included people asking how to kill themselves, how to make drugs, how to hack apps, and other deeply personal questions users assumed were private. The app's developer, Turkish company Codeway, claims GDPR compliance and "enterprise-grade security" on its marketing page. The vulnerability affected Codeway's other apps too. They fixed it within hours of disclosure, but only after 404 Media started asking questions.

Your "Private" AI Chat Was Never Private

People tell AI chatbots things they wouldn't say to another human. That's the whole point. The perceived privacy of talking to a machine lowers the guard. You'll ask a chatbot about depression when you won't call a therapist. You'll type out dark thoughts you'd never say out loud.

Chat & Ask AI banked on that trust. The app, built by Turkish developer Codeway, wraps around models from OpenAI (ChatGPT), Anthropic (Claude), and Google (Gemini), letting users pick which AI they talk to. It racked up 50 million downloads across the App Store and Google Play [1].

What Codeway didn't do was protect the conversations.

The Firebase Problem

A security researcher who goes by "Harry" discovered that Chat & Ask AI's Google Firebase backend was misconfigured. Firebase is Google's app development platform: it handles databases, authentication, and storage for mobile apps. When set up correctly, it restricts who can read and write data.

Codeway didn't set it up correctly [1][2].

The misconfiguration let anyone gain authenticated access to the app's database. Not through some sophisticated exploit. Not through a zero-day. Through a configuration mistake that Firebase's own documentation warns about. Harry accessed roughly 300 million messages tied to more than 25 million users [1].

To confirm the scope wasn't a fluke, Harry analyzed a sample of 60,000 users and over one million messages. The data was real, the access was complete, and the vulnerability affected not just Chat & Ask AI but Codeway's other apps too [1][3].

What People Were Saying

This isn't a breach where attackers grabbed email addresses and password hashes. This exposed the raw, unfiltered content of conversations between humans and AI, the things people only say when they think nobody's listening.

The exposed messages included users asking [1]:

  • How to painlessly kill themselves
  • How to write suicide notes
  • How to manufacture methamphetamine
  • How to hack other applications

Along with the message content, the database exposed:

  • Full chat histories with timestamps
  • Custom names users assigned to their chatbots
  • AI model selections (which model each user chose)
  • Configuration settings for each user's AI session

Think about what that means in combination. Not just what someone said, but when they said it, how they personalized their AI companion, and the pattern of their conversations over time. That's a psychological profile sitting in an unlocked database.

"Enterprise-Grade Security"

Codeway's marketing claimed the app offered SSL certification, GDPR compliance, and ISO standards with "enterprise-grade security" [3].

SSL certification means the connection between your phone and their server is encrypted in transit. That's basic: every website you visit has it. It says nothing about what happens to your data after it arrives. In this case, what happened was: it sat in an open database that anyone could read.

GDPR compliance means the company says it follows European privacy regulations. Those regulations require, among other things, appropriate technical measures to protect personal data. A Firebase database with default authentication settings is not that.

"Enterprise-grade security" apparently means whatever Codeway wants it to mean.

This Isn't Just One App

Chat & Ask AI isn't an anomaly. It's part of a pattern.

Research from CovertLabs and VX Underground found that 198 iOS apps had insecure Firebase storage, with 196 of them actively exposing user data. Across those apps, more than 406 million records were accessible [4].

Another app in the batch, YPT – Study Group, with over two million users, leaked messages, user IDs, and access tokens. The problem is systemic: developers racing to ship AI apps are using Firebase without configuring security rules, and Apple's App Store review process isn't catching it [4].

Codeway alone publishes 60+ apps, including Wonder AI Art Generator, Nerd AI, FaceDance, and TypeAI. When Harry disclosed the Chat & Ask AI vulnerability on January 20, Codeway fixed the issue across all of its apps within hours, which tells you the misconfiguration wasn't limited to one product [1][3].

The Disclosure Timeline

Here's how it played out:

  • January 20, 2026: Harry disclosed the vulnerability to Codeway
  • Within hours: Codeway patched the Firebase misconfiguration across all its apps
  • January 29, 2026: 404 Media published the story after Codeway didn't respond to requests for comment [2]
  • February 5, 2026: Fox News and other outlets picked up the story after broader analysis confirmed scope [1]

Credit where it's due: Codeway fixed the technical issue fast once it was reported. But the company never responded to 404 Media's requests for comment. No public acknowledgment. No disclosure to users. No explanation of how long the database was exposed or whether anyone else accessed it before Harry [2].

If you used Chat & Ask AI at any point, you have no way of knowing whether your messages were accessed by someone other than the researcher who reported the flaw.

Why AI Chat Apps Are a Privacy Minefield

Traditional messaging apps have had decades to learn hard lessons about storing private conversations. AI chat apps are speedrunning the same mistakes.

The core problem: these apps store every message you send. Unlike end-to-end encrypted messaging apps like Signal, where messages are designed to be unreadable by the service provider, AI chatbots need to read your messages to generate responses. That means your data exists on the server in a format the company can access, and so can anyone who finds a misconfigured database.

Chat & Ask AI is a "wrapper": it doesn't run its own AI model. It routes your questions to OpenAI, Anthropic, or Google's APIs. So your messages travel through at least two companies: Codeway (which stores them) and the AI provider (which processes them). Both companies' privacy policies apply. Both companies' security practices matter. And as we just saw, at least one of them couldn't handle a Firebase configuration.

Protect Yourself

  • If you used Chat & Ask AI: Assume your conversations were accessible. There's no way to confirm whether anyone beyond the security researcher accessed the database. If you shared personal information, passwords, or sensitive details through the app, change those credentials now.
  • Before using any AI chatbot app: Research the developer. Look for a privacy policy that specifies data retention and encryption at rest, not just "SSL" and "GDPR." A company claiming 50 million users should have a security track record you can verify.
  • Assume conversations are stored: Every AI chatbot stores your messages. Even if the company has good security, employees can access them. Treat AI conversations like postcards, not sealed letters.
  • Use AI providers directly: If you want to use ChatGPT, Claude, or Gemini, use the official apps from OpenAI, Anthropic, or Google. Third-party wrappers add an extra company between you and the AI, and another attack surface.
  • Limit what you share: Don't give AI chatbots your real name, location, medical details, or anything that could identify you. If you need to discuss sensitive topics, use a VPN and a throwaway email account.
  • Check app permissions: AI chat apps don't need access to your contacts, photos, or location. If they ask for it, that's a red flag.

Sources