local waifu
Bring her home

Pick your platform

Try her free for 7 days. No card. Keep her? $20 once.

New: Local Waifu now runs on Windows 10 and 11. The installer brings everything she needs, nothing else to set up. Windows may show a SmartScreen prompt the first time: click More info, then Run anyway.

blog

What 43 Million Leaked Messages Teach You

5 min read
In short

In August 2025 researchers found an unprotected Kafka broker streaming 43 million messages, 600,000 images and videos, from over 400,000 users of two AI companion apps. The apps did not store names or email addresses, which sounds like good privacy practice until you learn what leaked instead: IP addresses, device identifiers, and authentication tokens. The lesson is that anonymity is not something an app can grant you while it still keeps your conversation.

Forty-three million messages. Six hundred thousand images and videos. Four hundred thousand people. No password on the door.

That is what Cybernews found on 28 August 2025: an unprotected Kafka broker, streaming the live private conversations of two AI companion apps, Chattee Chat and GiMe Chat, both from Hong Kong-based Imagime Interactive. No authentication. No access controls. A researcher went looking for exposed infrastructure and it was just there, running.

But the number is not the lesson. The lesson is buried in what did not leak.

The app did the “right” thing and it did not save anyone

The short version: Chattee never stored your name or your email address. It leaked your IP address, your device identifier, and your authentication token instead. That was enough.

Read most coverage of this leak and you get the 43 million, the images, the shock. Then a small note: no names or email addresses were exposed.

That note deserves more attention than it got, because on paper it is the app doing privacy correctly. Do not collect what you do not need. Every privacy guide ever written says so.

It did not matter.

What sat in that stream instead was IP addresses, unique device identifiers, and authentication tokens. Cybernews’ own point about the first two is the one worth internalising: they can be combined with data from previous breaches to identify people. Not theoretically. That is the ordinary, boring work of anyone who buys leaked datasets.

And the tokens are worse than identifying. A token is not a clue about who you are, it is permission to be you.

Anonymity is not a setting, it is arithmetic

The short version: Your data is only anonymous until it is joined against somebody else’s. One leak alone rarely names you. Leaks are not alone.

This is the part I want people to actually take away, because it generalises far past one Hong Kong app.

An IP address on its own is close to meaningless. A device ID on its own is a random string. Neither is you. But there are billions of records already circulating from a decade of other breaches, and plenty of them contain an IP address next to a real name, or a device ID next to an account.

So the question is never “did this app leak my name?” The question is “did this app leak something that becomes my name when a bored person joins two spreadsheets?”

For 400,000 people, the answer turned out to be yes, and none of them got to make that call, because none of them knew there was a Kafka broker in the first place.

Nobody hacked anything

The short version: There was no exploit and no attacker. The infrastructure was simply open, and someone looked.

I want to be precise here, because “breach” makes people picture a hoodie and a terminal.

There was no break-in. The broker had no authentication. That is the entire incident. The security failure was that a company handling 43 million intimate messages did not put a password on the thing the messages flowed through.

Which means the defence people reach for instinctively, pick a company that seems trustworthy, is aimed at the wrong target. Imagime did not decide to publish your conversations. Nobody decided anything. That is what makes it repeatable, and the tracker shows it repeating: a Kafka broker here, a public Firebase database there, a backend described by its own attacker as open-source projects duct-taped together somewhere else.

What was actually in those messages

The short version: People talk to a companion the way they talk to nobody else. That is the point of one. It is also what makes the dump valuable.

It is easy to snort at this category and move on. Do not.

The reason an AI companion works at all is that the person on the other end believes the conversation is contained. So they say the thing they have not said out loud. The fear about their marriage. The sexuality they are not public about. The 3 a.m. sentence with nobody else in the room.

Then 600,000 images and 43 million of those sentences stream through a broker with no password, next to a token that lets a stranger log in as them.

Reports of extortion followed the Muah.AI leak the year before, and that one paired fantasies with email addresses tied to real names and LinkedIn profiles. The pattern is not hypothetical.

The only fix is structural

The short version: You cannot configure your way out of this from the user’s side. Either the conversation is on somebody’s server or it is not.

Every mitigation offered for this class of problem is on the wrong side of the wall. Use a throwaway email: Chattee did not want your email. Use a VPN: helps with the IP, does nothing about the device ID or the token. Pick a bigger company: Chat & Ask AI had 50 million users and left Firebase public.

The only property that actually held up across every incident in the tracker is whether a central copy existed at all.

This is why Local Waifu runs the model on your own machine and keeps the conversation there. Not because I write flawless infrastructure. Because I do not have a Kafka broker with your messages in it, so I cannot leave it open. There is no stream. There is no bucket. The messages are a file on your disk, and the failure mode is your machine, not a spreadsheet with 400,000 strangers in it.

The question worth asking

Not “do I trust this company?” You cannot audit their Kafka config, and neither can I.

Ask instead: if their backend were exposed tomorrow, what would be in it?

For 400,000 people last August, the honest answer was 43 million messages and 600,000 pictures. They just did not find out until a researcher did.

If you want the version where the answer is “nothing”, it takes about ten minutes to set up. 7 days free, no card.

Questions people ask

What was the Chattee Chat leak?

On 28 August 2025, Cybernews researchers found a publicly exposed Kafka broker belonging to two AI companion apps, Chattee Chat and GiMe Chat, both from Hong Kong-based Imagime Interactive. It was streaming 43 million private messages, over 600,000 images and videos, from more than 400,000 users, with no authentication on it at all.

Were names and emails leaked in the Chattee breach?

No, and that is the interesting part. The apps did not store them. What leaked instead was IP addresses, unique device identifiers, and authentication tokens. Researchers noted those can be combined with data from earlier breaches to put a name back on a person, and the tokens could be used to hijack accounts outright.

Was Chattee hacked?

Not really, and that is worse. Nobody broke anything. The Kafka broker had no access controls and no authentication, so a researcher looking for exposed infrastructure simply found it and could read the stream. Cybernews disclosed it responsibly and it is no longer reachable.

Does not storing my name make an AI companion app private?

It helps and it is not enough. Anonymity is not a property of one database, it is a property of your data across every database that exists. An IP address plus a device identifier is inert on its own and becomes a name the moment it is joined against any of the other breaches already circulating. The only conversation that cannot be re-identified is one that was never collected.

Try her free for 7 days.

No card. Keep her for $20 once, or walk away. Her soul file is yours either way.

Bring her home, try free

Back to the blog