A Silicon Valley-based AI image generator has exposed over 1 million user-generated images in an unprotected database, including explicit deepfakes and nonconsensual face-swapped content, according to cybersecurity researcher Jeremiah Fowler.
The exposed database belonging to MagicEdit—an AI platform operated by SocialBook and affiliated with BoostInsider Inc.—was discovered completely unencrypted and without password protection. The breach contained 1,099,985 records, with the overwhelming majority consisting of explicit AI-generated content.
Fowler's investigation revealed concerning content including AI-manipulated images depicting what appeared to be minors, face-swapped photos combining real individuals' faces with AI-generated bodies, and what seemed to be unaltered reference photos uploaded without consent.
"Thank you for this responsible disclosure. We take this extremely seriously and we are conducting a full investigation into the scope of the exposure," MagicEdit responded after Fowler's notification. The database was immediately restricted, and as of publication, MagicEdit's website and apps have been removed from availability.
MagicEdit marketed itself as an 18+ AI image generator allowing users to create "unrestricted" content through text prompts or uploaded photos. While users could log in to view their own creations, the database exposure meant anyone with an internet connection could access other users' private images.
The breach highlights a critical gap in AI platform security. Research indicates that 96% of all deepfakes online are pornographic, with 99% involving women who didn't consent to their likeness being used—making such exposures particularly dangerous for harassment and blackmail.
Security experts recommend making social media profiles private, disabling public visibility of photos, and removing location data from images. The recently enacted Take It Down Act (S.146) now makes publishing nonconsensual intimate images, including AI-generated deepfakes, a federal crime in the United States, requiring platforms to remove reported content within 48 hours.
Anyone who discovers their images used without consent should immediately contact law enforcement and notify the hosting platform to invoke these protections.