TL;DR: Video AI Art Generator & Maker, an Android app that transforms photos and videos using AI, left a Google Cloud Storage bucket wide open with no authentication. Researchers found 8.27 million media files inside, including 1.57 million personal photos and 385,000 private videos uploaded by users since the app launched in June 2023. The developer? Codeway, the same Turkish company that exposed 300 million private chat messages through its Chat & Ask AI app just weeks ago. Codeway patched the bucket within hours of disclosure on January 20, 2026, but users had no idea their personal media was sitting in the open for over two years.

Codeway Strikes Again

On January 20, 2026, a researcher from Cybernews discovered that Video AI Art Generator & Maker, a popular Android app for creating AI-generated art from personal photos and videos, had left its entire cloud storage bucket accessible to anyone who knew where to look [1].

The bucket contained 8.27 million media files. Most were AI-generated output, but mixed in were the raw inputs: 1.57 million original photos and 385,000 personal videos that users had uploaded to the app [1][2].

The app launched in mid-June 2023. That means every piece of media uploaded since then sat in an unprotected server for roughly two and a half years.

If the developer sounds familiar, it should. Codeway Dijital Hizmetler Anonim Sirketi, a Turkish company with over 60 apps in the Google Play Store, made headlines in January when its Chat & Ask AI app exposed 300 million private conversations through a misconfigured Firebase database. Same company. Same basic mistake. Different app.

What Was Exposed

The Google Cloud Storage bucket held everything users had ever fed into the AI:

  • Personal photos: 1.57 million user-uploaded images, including faces, family photos, and anything else people wanted to transform with AI
  • Private videos: 385,000 video files uploaded for AI processing
  • AI-generated content: Millions of transformed images, videos, and audio files showing what users created from their uploads

The bucket required no authentication. No password. No API key. Just the URL [1].

If you've used this app to create AI art from your selfies, your pet photos, or video clips of your kids, those files were accessible to anyone who found the bucket's address.

The Deepfake Problem

This isn't just a privacy violation. It's a deepfake goldmine.

Modern deepfake tools need source material: photos and videos of a person's face from multiple angles, in different lighting, with various expressions. An AI art app is the perfect collection mechanism. Users voluntarily upload exactly the kind of content needed to create convincing face-swaps [1][2].

With nearly two million photos and hundreds of thousands of videos sitting unprotected, bad actors had access to raw material for:

  • Face-swap deepfakes using victims' actual images
  • Non-consensual explicit content ("revenge porn" using AI)
  • Identity theft and social engineering attacks
  • Targeted phishing using personal photos

The videos are particularly concerning. Video provides the temporal data (mouth movements, blinking patterns, head tilts) that makes deepfakes harder to detect.

Codeway's Response

Credit where it's due: when Cybernews disclosed the vulnerability on January 20, 2026, Codeway patched the misconfiguration within hours. The same thing happened with Chat & Ask AI: fast technical fixes once the problem was reported [1][3].

But here's what didn't happen:

  • No public acknowledgment of the breach
  • No notification to affected users
  • No explanation of how long the data was exposed
  • No confirmation of whether anyone else accessed the bucket before the researcher

Codeway has over 60 apps in the Google Play Store. After two major data exposures in one month (one affecting 300 million chat messages, another affecting 8 million media files) the company's security practices deserve serious scrutiny [1][3].

A Pattern, Not an Accident

Two apps from the same company. Two different cloud services (Google Cloud Storage and Firebase). Two massive data exposures discovered within weeks of each other.

This isn't bad luck. It's a systemic failure in how Codeway handles user data.

The Chat & Ask AI breach exposed Firebase authentication issues. The Video AI Art Generator breach exposed Cloud Storage misconfigurations. Both are well-documented, easily preventable mistakes that Google's own security documentation warns about. Both suggest that security isn't a priority when shipping products [1][4].

Codeway's other apps include Wonder AI Art Generator, Nerd AI, FaceDance, and TypeAI. After two breaches, the question isn't whether those apps have similar problems. It's whether anyone has looked.

If You Used This App

Assume your data was accessible. There's no way to confirm whether anyone accessed the bucket before Cybernews found it.

  • Check your upload history: Think about what photos and videos you uploaded to the app. If any contained your face, assume someone could have that imagery.
  • Watch for phishing: If personal photos leak, they can be used in targeted scams: messages that include your actual images to make them more convincing.
  • Monitor for deepfakes: Set up Google Alerts for your name and periodically reverse-image-search your photos to check for unauthorized use.
  • Delete the app: Codeway has demonstrated it can't be trusted with your data. Uninstall Video AI Art Generator and any other Codeway apps from your devices.
  • Revoke app permissions: Check what permissions the app had on your phone. If it had access to your entire photo library, it may have uploaded more than you realize.

The Bigger Picture

AI apps are multiplying faster than the security practices needed to protect them. Developers racing to ship the next AI photo tool or chatbot wrapper cut corners on infrastructure. Cloud storage gets misconfigured. Databases get left open. And millions of users pay the price.

This is the third major AI app data exposure we've covered in February 2026 alone. The pattern is consistent: rapid development, inadequate security, and users who have no idea their data is sitting in the open until a researcher stumbles across it.

Until app stores start requiring security audits for apps that handle user media, and until developers face real consequences for preventable breaches, this will keep happening.

Sources