Every Major AI Companion Data Breach, and What It Means for Your Chats

Think for a second about what you've actually typed into an AI companion. Not the marketing version. The real version. Private thoughts. Fantasies you wouldn't say out loud. Maybe your real name, your city, the name of your job, details about your family, the shape of a bad week. People are more honest with these apps than with most humans, which is part of the appeal and the entire problem, because all of that honesty is sitting in a database run by a company you've never met.

Now consider that these databases leak. Not hypothetically. Repeatedly, at enormous scale, in ways that have already exposed and in some cases ruined real people. This is the part of the hobby that doesn't make it onto the landing page, so let's put the record in one place and talk about what it means for what you choose to share.

The breaches on the record

The pattern here is grim because the failures are so basic. These aren't sophisticated attacks. They're companies leaving the front door open.

One incident in late 2025 involved an unprotected server that exposed roughly forty-three million messages and several hundred thousand images from around four hundred thousand users. No encryption, no access control, just sitting there for anyone who found the address. A few months later, a separate app leaked on the order of three hundred million messages through a misconfigured database, affecting tens of millions of users. And the Muah AI breach exposed close to two million emails alongside actual chat prompts, meaning people's real conversations and identities were tied together and made public. Some of those people were then blackmailed with their own words.

Read those numbers again. The exposure isn't a handful of accounts. It's the entire user base of platform after platform, including the most intimate text those users ever produced. The common thread is negligence rather than bad luck, which matters because negligence is predictable and you can plan around it.

Why companion apps are uniquely bad at this

Several things stack up to make this category leakier than your average app, and understanding them helps you judge which platforms to trust.

The data is unusually sensitive, which raises the stakes of any leak far above, say, a leaked list of email addresses. The companies are often tiny, sometimes a handful of developers with no security budget and a product that grew faster than their infrastructure. The incentives point the wrong way, because security is invisible to users and spends money that could go toward features that show up on the landing page. And the data collected is broader than people assume. One study of Character AI found it collecting up to fifteen distinct data types, including photos, audio, and location, and concluded that the large majority of companion apps may use your data to track you. The privacy reality of the category is consistently worse than the friendly interface suggests.

Put those together and you get a structural setup where the most sensitive possible data is held by the least equipped possible custodians under incentives that reward ignoring the problem. The leaks aren't surprising. They're the natural output of that arrangement.

What actually happens when this data gets out

It's tempting to file a breach under abstract risk, the way most people treat privacy policies they never read. The concrete outcomes are worth sitting with, because they're what make this worth your attention.

The immediate harm is exposure. Conversations you assumed were private become searchable, sometimes tied to your email or real name, which collapses the separation between your companion use and the rest of your life. The follow-on harm is extortion, which already happened to Muah AI users, where someone takes your leaked messages and threatens to show them to people you know unless you pay. The slower harm is permanence, because once data is out, it's out, copied and archived beyond any company's ability to recall it. A deleted account does nothing about a copy that leaked two years ago.

There's also a quieter cost. A lot of people use these apps precisely because they feel like a safe place to be unguarded. Learning that the safe place leaks at scale doesn't just create legal risk, it poisons the thing that made the app valuable, which is the sense that you could say anything. That's harder to measure and arguably the most expensive part.

How to share less than you'd regret

You can't audit a company's servers. You can control what you hand them, which is the lever that's actually in your hands.

Treat anything you type as potentially public someday, and let that govern what you include. Keep genuinely identifying details out of conversations: your real full name, your address, your workplace, the names of real people in your life, anything that ties the account to you specifically. Use an email that isn't your main one for signing up, ideally one that doesn't contain your real name, so a leaked email list doesn't immediately point back to you. Be especially careful with images, since photos are both the most damaging thing to leak and a common component of these breaches. And lean toward platforms that offer real account controls, since the existence of a data export and deletion option is at least a signal that someone thought about data handling, even if it's no guarantee.

The blunt principle is to enjoy the intimacy of the conversation without feeding it the specific facts that would make a leak personally catastrophic. You can have a deep, unguarded relationship with a companion while still never telling it where you work. The character doesn't need your address to be good company.

The local and BYOK escape hatch

There is one category of setup that sidesteps almost all of this, and it's worth naming for the people the breach record genuinely worries.

Bring-your-own-key and fully local companions don't store your conversations on a company's server at all. A BYOK app keeps data in your own browser and talks to a model through your personal API key. A local setup runs an open model on your own hardware with no outside company in the loop. In both cases, there's no central database of your intimate messages for someone to misconfigure and leak, because there's no central database at all. The tradeoff is setup friction and, for local, the need for a decent GPU, but for privacy specifically the self-hosted route is the strongest answer to the breach problem that exists. Data that never leaves your machine can't leak from someone else's.

For everyone staying on hosted apps, the realistic posture is harm reduction rather than perfect safety. Share less, identify yourself less, use a throwaway email, go easy on photos, and assume every platform is one misconfiguration away from a headline.

The takeaway that's easy to skip

The companies will keep promising security, and some of them will mean it, and the breaches will keep happening anyway, because the structural problem hasn't changed. Sensitive data, small teams, thin budgets, bad incentives. That combination produces leaks the way the enshittification pattern produces filters, reliably and on a schedule.

None of this means abandon the hobby. It means hold a clear-eyed model of what you're doing: having a private-feeling conversation in a place that is not reliably private. Once you hold that honestly, the adjustments are small and the protection is real. Keep the intimacy, drop the identifying details, and never tell a server something you couldn't survive seeing on the open internet. The people who got hurt in these breaches mostly weren't careless. They just trusted the interface, which was designed to be trusted, by companies that didn't earn it.

This is a sensitive area, and if reading about breaches or extortion stirs up real worry about your own exposure, it's worth talking it through with someone you trust rather than carrying it alone.