Muah.AI, a self-described 'uncensored' AI girlfriend and companion chatbot platform, suffered a data breach on or around September 17, 2024 when a hacker exploited vulnerabilities in the site's infrastructure. The hacker reportedly described Muah.AI's technical foundation to 404 Media as a poorly assembled collection of open-source components and disclosed the breach to journalists after discovering the disturbing content of the user-prompt database. The breach was publicly disclosed in early October 2024 through 404 Media reporting and was indexed by Have I Been Pwned on October 8, 2024 with a sensitive flag.

The breach affected approximately 1.9 million users based on records indexed by Have I Been Pwned, which counted approximately 1,910,261 unique email addresses. Compromised fields included email addresses, AI prompts directing image generation, and user sexual-preference settings. The site's email-verification process meant that affected email addresses had been verified by their owners before the prompts were submitted, indicating that the prompts can credibly be tied to real individuals rather than to fraudulent use of someone else's email address. Many of the prompts were highly sexual in nature, and a significant portion of them described child sexual abuse scenarios, including documented requests for AI-generated content depicting infants and young children. The platform's email addresses are largely tied to real personal identities including names visible in LinkedIn profiles, rather than to anonymous burner accounts.

For affected users, the practical risk profile is exceptionally severe and varies substantially by the content of individual users' prompts. For users whose prompts were limited to lawful adult content, the standard adult-platform extortion-risk profile applies. Affected users who receive extortion attempts should not pay ransom demands because payment does not stop further extortion. Users should change any reused passwords on other accounts, enable two-factor authentication where available, document all extortion communications, and report extortion attempts to law enforcement. For users whose prompts described child sexual abuse scenarios, the risk profile extends substantially beyond extortion to include direct criminal exposure under U.S., U.K., and other jurisdictions' laws governing the production, possession, or attempted generation of child sexual abuse material, including computer-generated pseudo-images. Users with this exposure may be referred to legal counsel and should expect that law enforcement agencies have access to or are reviewing the breach data. A documented active extortion vector specifically targets high-value IT employees among affected users, demanding access to employer systems rather than financial payment, meaning employers may be at indirect risk through their staff's exposure in this breach.

AI companion and sexually oriented chatbot platforms collect account emails, generated prompt history, fetish-linked preferences, and interaction data tied to deeply personal or explicit use cases.

The Muah.AI breach was first reported by 404 Media in early October 2024 after a hacker independently discovered and exploited vulnerabilities in the site's infrastructure. The hacker, who reportedly stumbled onto the vulnerabilities while using the site for adult content, told 404 Media that the platform was 'basically a handful of open-source projects duct-taped together' and that they decided to contact journalists after seeing what was in the database. Have I Been Pwned added the breach on October 8, 2024 with a sensitive-breach designation. Muah.AI's administrator publicly responded by claiming the hack must have been 'sponsored by competitors in the uncensored AI industry' rather than acknowledging the platform's security weaknesses. The breach has been the subject of significant legal and media analysis, including detailed coverage from Linklaters and other law firms regarding criminal exposure for users whose prompts described illegal content, and regarding active extortion attempts targeting affected individuals.