Muah.AI 2024 Data Breach

Muah.AI 'AI Girlfriend' Chatbot Breach (2024): 1.9 Million User Records Including AI Prompt Content & Sexual Preferences Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

Anonymous hacker (404 Media source)MisconfigurationChatAI Prompt ContentEmail AddressSexual Preferences
High SeverityWebsite / service breach

Muah.AI 'AI Girlfriend' Chatbot Breach (2024): 1.9 Million User Records Including AI Prompt Content & Sexual Preferences Exposed

AI chatbot and conversational platform.

Verified by ObscureIQ Intelligence
72/100Breach Risk Index
40Data Value
25Market Recency
566dSince Breach

Breach Intelligence Summary

Entity: Muah.AI · Actor: Anonymous hacker (404 Media source) · Sources: 2 references
Attack: Misconfiguration
Profile: Platform · AI-driven companion and chat services · Consumer AI platform · Global
Timeline: Breach (2024-09-17) · Indexed (Oct 08, 2024) · Year (2024)
Exposure: 1.9M records · 3 fields: AI Prompt Content, Email Address, Sexual Preferences
Status: Confirmed

Executive Summary

Muah.AI, a self-described 'uncensored' AI girlfriend and companion chatbot platform, suffered a data breach on or around September 17, 2024 when a hacker exploited vulnerabilities in the site's infrastructure. The hacker reportedly described Muah.AI's technical foundation to 404 Media as a poorly assembled collection of open-source components and disclosed the breach to journalists after discovering the disturbing content of the user-prompt database. The breach was publicly disclosed in early October 2024 through 404 Media reporting and was indexed by Have I Been Pwned on October 8, 2024 with a sensitive flag. The breach affected approximately 1.9 million users based on records indexed by Have I Been Pwned, which counted approximately 1,910,261 unique email addresses. Compromised fields included email addresses, AI prompts directing image generation, and user sexual-preference settings. The site's email-verification process meant that affected email addresses had been verified by their owners before the prompts were submitted, indicating that the prompts can credibly be tied to real individuals rather than to fraudulent use of someone else's email address. Many of the prompts were highly sexual in nature, and a significant portion of them described child sexual abuse scenarios, including documented requests for AI-generated content depicting infants and young children. The platform's email addresses are largely tied to real personal identities including names visible in LinkedIn profiles, rather than to anonymous burner accounts. For affected users, the practical risk profile is exceptionally severe and varies substantially by the content of individual users' prompts. For users whose prompts were limited to lawful adult content, the standard adult-platform extortion-risk profile applies. Affected users who receive extortion attempts should not pay ransom demands because payment does not stop further extortion. Users should change any reused passwords on other accounts, enable two-factor authentication where available, document all extortion communications, and report extortion attempts to law enforcement. For users whose prompts described child sexual abuse scenarios, the risk profile extends substantially beyond extortion to include direct criminal exposure under U.S., U.K., and other jurisdictions' laws governing the production, possession, or attempted generation of child sexual abuse material, including computer-generated pseudo-images. Users with this exposure may be referred to legal counsel and should expect that law enforcement agencies have access to or are reviewing the breach data. A documented active extortion vector specifically targets high-value IT employees among affected users, demanding access to employer systems rather than financial payment, meaning employers may be at indirect risk through their staff's exposure in this breach.

ObscureIQ assessment: Extremely sensitive. Exposure can reveal intimate fantasies, fetish interests, and potentially illegal or highly stigmatizing prompt content. This creates acute risk of extortion, reputational harm, coercion, and law-enforcement or employer exposure concerns.

Breach Impact

The institutional impact on Muah.AI is significant on reputational and regulatory dimensions, although the platform continues to operate. Law enforcement attention has been raised in multiple jurisdictions because of the documented presence of child-exploitation prompts in the dataset, with potential implications for the platform's compliance with content-moderation, anti-CSAM, and AI-safety regulatory frameworks emerging in 2024 to 2026. The case has been cited as a leading example of safety failures in the unmoderated AI-companion category and has shaped subsequent regulatory and platform-policy discussions about generative-AI content moderation. Active extortion campaigns targeting affected users have been documented, including a notable pattern in which threat actors target high-value IT employees in affected user populations, demanding access to employer systems rather than financial ransom. This represents an unusual extortion vector that elevates the breach's institutional impact beyond Muah.AI itself to the employers of affected users.

About Muah.AI

Muah.AI is an 'AI girlfriend' companion-chatbot platform that allows users to create and interact with customized AI-powered companions for romantic, sexual, and conversational role-play. The platform offers text chat, voice chat, and AI-generated image exchange with user-customized AI characters described as 'caring AI-powered girlfriends, supportive boyfriends, or virtual therapists.' Muah.AI markets itself as 'uncensored' and explicitly positions itself in opposition to mainstream AI platforms' content moderation, stating publicly that it does not 'actively censor or filter AI' and that 'any topic can be discussed without running into a wall.' As an account-based generative-AI companion platform, Muah.AI maintains user account data including email addresses and stored prompt history that captures users' generative requests, sexual fantasies, fetish preferences, and persistent character-customization settings.

Why They Hold Your Data

AI companion and sexually oriented chatbot platforms collect account emails, generated prompt history, fetish-linked preferences, and interaction data tied to deeply personal or explicit use cases.

Recent Developments

The Muah.AI breach was first reported by 404 Media in early October 2024 after a hacker independently discovered and exploited vulnerabilities in the site's infrastructure. The hacker, who reportedly stumbled onto the vulnerabilities while using the site for adult content, told 404 Media that the platform was 'basically a handful of open-source projects duct-taped together' and that they decided to contact journalists after seeing what was in the database. Have I Been Pwned added the breach on October 8, 2024 with a sensitive-breach designation. Muah.AI's administrator publicly responded by claiming the hack must have been 'sponsored by competitors in the uncensored AI industry' rather than acknowledging the platform's security weaknesses. The breach has been the subject of significant legal and media analysis, including detailed coverage from Linklaters and other law firms regarding criminal exposure for users whose prompts described illegal content, and regarding active extortion attempts targeting affected individuals.

Data Points Exposed

3 verified field types
AI Prompt Content
Email Address
Sexual Preferences High

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:High
Primary downstream threats:
  • Targeted phishing campaigns using exposed email addresses
Threat vectors:
  • Sensitive disclosure & behavioural profiling
  • Phishing, credential stuffing & account takeover
  • Blackmail & coercive extortion

Threat Actor: Anonymous hacker (404 Media source)

Anonymous hacker (404 Media source)
Misconfiguration

Attribution and method are based on available breach intelligence. Reported attack vector: Misconfiguration.

Recommended Actions

If you believe your information may be included:

Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the Muah.AI breach?

Muah.AI, a self-described 'uncensored' AI girlfriend and companion chatbot platform, suffered a data breach on or around September 17, 2024 when a hacker exploited vulnerabilities in the site's infrastructure. The hacker reportedly described Muah.AI's technical foundation to 404 Media as a poorly…

What data was exposed?

Verified fields include AI Prompt Content, Email Address, Sexual Preferences.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
Have I Been Pwned
Record & field corroboration
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation