Every Documented AI Companion Data Breach: The Complete Timeline

The AI companion category sits at the intersection of two privacy-vulnerable categories of personal data: intimate conversation content and user-uploaded media. Platforms in this space collect what users say in private chat, what users tell AI characters about themselves, photos users upload for character customization or generation, voice samples used for voice cloning, and detailed behavioral profiles built from sustained interaction. The privacy exposure surface for any given user is substantially larger than what most users intuitively think about when they sign up.

The platforms operating in this category have a security track record that ranges from genuinely careful to actively dangerous. The documented incidents matter because they reveal which platforms invested in security infrastructure versus which ones treated security as an afterthought. The category-wide pattern of these incidents also reveals how the platforms typically respond when something goes wrong.

This is the documented timeline based on publicly available reporting and confirmed security incident records.

September 2024: Muah AI

The most extensively documented incident in the AI companion category to date is the Muah AI data breach added to the Have I Been Pwned database in September 2024. The breach exposed a database of user accounts, conversations, custom character descriptions, and uploaded image references. The scope of exposed data included material that users had specifically shared with the platform under the assumption it would remain private.

The Muah AI response to the incident was inadequate by industry standards. The platform initially downplayed the scope, then was slow to notify affected users, and never provided the kind of detailed post-incident report that mature security organizations publish. Coverage from 404 Media documented the incident in detail and provided context on what the leaked data actually contained.

Australia's eSafety Commissioner subsequently flagged Muah AI in their AI safety guide, citing both the breach and broader concerns about the platform's content policies. The platform's own subreddit was suspended around the same period following spam campaigns that platform leadership was perceived as not adequately addressing.

The combined effect of these incidents made Muah AI the case study for what can go wrong in the AI companion category. Our Muah AI review covers the platform's current state including the unique features that exist alongside these unresolved trust concerns.

January 2023: Replika privacy concerns

While not a breach in the traditional sense, Replika's January 2023 NSFW content removal raised significant questions about how the platform handled user data and user relationships. The removal effectively erased years of accumulated conversational context for users who had paid for ongoing relationships with their Replika characters. From a user-trust standpoint, the incident represented a category-defining failure even though no actual data was leaked to external parties.

The Replika incident matters in the data breach timeline because it established that platform-internal actions can damage user relationships and data continuity in ways functionally similar to external breaches. Users lost access to relationships they had built and paid for. The data that defined those relationships was either deleted or rendered inaccessible by content policy changes. Whether this counts as a "breach" depends on definitions, but the user experience was comparable to what a breach would have produced.

The broader Replika privacy practices have been documented in detail by Mozilla's Privacy Not Included project which gave Replika one of its worst ratings in the AI companion category for data handling practices. Mozilla's broader assessment of the category in their 2024 review flagged systematic problems across multiple platforms.

March 2024: Soulmate AI shutdown

When the Soulmate AI platform shut down operations in 2024, users received limited notice and minimal ability to export conversation history. The shutdown was technically handled within the bounds of the platform's terms of service, but the practical result for users was loss of access to relationships and accumulated data that they had paid for. Soulmate AI users who had spent years developing companion characters lost everything in a way that conventional platform shutdowns don't typically produce because conventional platforms aren't selling emotional continuity.

The Soulmate shutdown didn't expose user data externally, but it did demonstrate a category-specific failure mode: AI companion platforms can disappear and take user relationships with them in ways more emotionally consequential than typical service shutdowns. The lesson is that users investing in AI companion relationships need to evaluate platform stability seriously, not just feature quality.

Our coverage of platforms that died and what killed them covers the Soulmate situation and broader category patterns of platform mortality.

Ongoing: Character.AI legal and content incidents

While Character.AI has not had a documented data breach in the conventional sense, the Setera v. Character Technologies lawsuit filed October 2024 represents a different category of incident worth including in any comprehensive timeline. The case involves user-protected information becoming relevant to litigation in ways that highlight how AI companion conversations can become legally exposed even when platform security infrastructure remains intact.

The broader pattern of Character.AI content incidents through 2024-2025, culminating in the November 2025 ban on under-18 users, illustrates how user data can be regulatory-exposed even without external breach. Platforms storing intimate conversations face legal discovery risks that conventional consumer software doesn't share. Users who treat AI companion conversations as fully private should know that "private from outside attackers" and "private from legal process" are different categories of security.

Smaller incidents and unverified reports

The AI companion category has had numerous smaller security incidents that didn't reach mainstream press coverage but appeared in security researcher reports, platform community discussions, and disclosures. Several of these involve:

Platform misconfigurations exposing user data temporarily during the period before the issue was identified and patched. The duration of exposure varied from hours to weeks across documented incidents.

Third-party data processor vulnerabilities affecting platforms that integrated with services later found to have security issues. The connections between AI companion platforms and image generation services, voice synthesis services, and analytics providers create supply-chain security exposure that's hard to evaluate from a user perspective.

Insider data access incidents at smaller platforms where employees were able to view user conversations in ways that violated stated privacy policies. These incidents are particularly hard to track because they typically don't produce external-facing security disclosures.

The pattern across these smaller incidents is consistent. AI companion platforms operate with smaller security teams than mature consumer software companies. Many platforms are operated by small teams whose security expertise is genuinely limited. The category has not yet had the kind of major incident that forces industry-wide security maturity improvements.

What this pattern actually means

The data breach record across the AI companion category suggests several things users should internalize before sharing intimate information with these platforms.

First, the platforms operating in this category vary substantially in security maturity. Larger platforms with significant funding and dedicated security staff (Character.AI, Replika in its pre-2023 form) have stronger security infrastructure than smaller indie platforms. This isn't to say large platforms are safe, just that the variance is real and meaningful.

Second, the documented incidents reveal that platform shutdown and content policy changes can produce user-impact effects comparable to external breaches. The Replika and Soulmate examples show that even platforms not breached can fail users in ways that affect data continuity and relationship integrity.

Third, the category-wide security record is not bad relative to the broader consumer software industry, but it's also not good relative to the sensitivity of the data being handled. Users sharing intimate content with AI companions are entrusting platforms with data more personal than what most consumer software handles, and the security infrastructure in the category has not yet matured to match the sensitivity of the data.

The lack of meaningful age verification across the category is another dimension of the broader trust infrastructure gap these incidents reveal.

Practical implications for users

If you're using AI companion platforms, several practical steps reduce your exposure without requiring you to abandon the category:

Avoid sharing identifying information with AI companions. Even on platforms with strong security, the conversations can become legally exposed and the platforms themselves can fail in ways that expose stored data. Treat AI companion conversations as if they could become readable to others, not because the platforms are necessarily breaching, but because the category-wide track record suggests this is a reasonable defensive posture.

Use unique email addresses for AI companion accounts. If the platform is breached, the leaked data won't link to your primary digital identity. Several free services provide forwarding email addresses that can be disposed if breached.

Don't upload photos that could identify you to AI companion platforms unless the platform's specific security infrastructure justifies it. The Photo X-Ray feature on Muah and similar features on other platforms create privacy exposure that's hard to walk back once images are stored on platform servers.

Choose platforms that disclose their security practices in detail. Platforms that won't say what they do with user data probably aren't doing the right things. Platforms that publish detailed privacy policies and security practices are more likely to be actively investing in security infrastructure.

The category will eventually mature its security practices, probably driven by either a major incident that forces industry-wide changes or regulatory action that requires it. Until that happens, individual users protecting themselves is the best available approach. Knowing the documented incident history is the foundation for making informed decisions.

Our examination of how AI conversations become legally discoverable covers the parallel reality that legal exposure can be as consequential as security breach for stored intimate data.