My Lovely AI Breach Exposes 106K User Prompts

Overview

On April 2026, the NSFW AI girlfriend platform My Lovely AI confirmed a data breach affecting 106,271 user accounts. The breach exposed user-created prompts, links to AI-generated images, and a small number of Discord and X usernames. The incident was reported to Have I Been Pwned (HIBP), and affected users can verify their exposure at haveibeenpwned.com.

What Was Exposed

The compromised data includes:

• Usernames: Display names and account identifiers.
• User-Created Prompts: The text inputs users provided to generate AI responses or images. These prompts often contain highly personal, intimate, or identifying details.
• AI-Generated Image Links: Direct URLs to images produced by the platform based on user prompts. These images may depict users or others, and the metadata could reveal locations or devices.
• Discord and X (Twitter) Usernames: A small subset of accounts linked social media profiles, enabling cross-platform identification.

Why This Matters

This breach is unusual because the exposed data goes beyond account credentials-it includes the content users created. Prompts on NSFW platforms often contain sensitive personal fantasies, identifiable descriptions, or even real names and locations. The links to AI-generated images compound the risk, as these images could depict users in compromising situations, and the metadata might expose technical details like file creation timestamps or device identifiers.

Who’s Actually Affected

All 106,271 registered accounts are affected. However, the breach’s impact extends to anyone included in the prompts or images-even if they never used the platform. For example, a user who described a real partner or shared a recognizable image could inadvertently expose that person’s identity or personal details.

How to Check If You’re Affected

1. Visit Have I Been Pwned: Go to haveibeenpwned.com and search your email address.
2. Look for My Lovely AI: If your email is in the breach, the site will show an entry for this incident.
3. Check Your Account: Log in to My Lovely AI and review your saved prompts and images. Delete any content you wish to remove.
4. Monitor for Phishing: Be alert for emails claiming to offer “breach support” or requesting personal information-this is likely a scam.

What to Do Right Now

• Change your My Lovely AI password immediately, even if you don’t see your email in HIBP. Use a unique, strong password.
• Review and delete any saved prompts, image links, or associated social media connections on the platform.
• If you shared prompts with real-world details (names, places, identifiable descriptions), consider the risk to those individuals and inform them.
• Enable two-factor authentication (2FA) on any account where you used the same username or email combination.
• Watch for social engineering attempts-attackers may use the exposure of preferences or identity to craft targeted scams.

Security Insight

This breach reveals a critical oversight in platforms handling NSFW user-generated content: storing raw, unencrypted prompts and image links as if they were just metadata. Unlike password hashing, prompt storage often lacks any protection, leaving intimate user data fully readable in a breach. This incident aligns with a broader pattern in adult-tech breaches, where the data’s sensitivity far exceeds its technical exposure. The lesson for developers is clearypt user-generated content at rest, and treat prompt logs as personally identifiable information (PII) because, in many cases, that is exactly what they are.

Further Reading

• All Medium Breaches
• Recent Data Breaches