NSFW AI Platform My Lovely AI Exposes 106K User Accounts in Sensitive Data Breach
What Happened — In April 2026 the adult‑oriented AI chatbot service My Lovely AI suffered a breach that leaked the email addresses, Discord/X usernames, user‑generated prompts, and links to AI‑generated images of over 106 000 accounts. The breach is classified as “sensitive” by Have I Been Pwned, meaning the data is not searchable publicly.
Why It Matters for TPRM —
- Personal identifiers and behavioural data from a high‑risk adult‑content service can be weaponised for phishing, extortion, or credential‑stuffing attacks.
- The incident underscores the importance of continuous monitoring of SaaS vendors that process sensitive user‑generated content.
- Exposure of social‑media handles creates a direct vector for targeted social‑engineering against both end‑users and partner organizations.
Who Is Affected — Consumers of adult‑oriented AI services; SaaS providers in the AI/content‑generation space; downstream partners that integrate My Lovely AI APIs.
Recommended Actions —
- Verify whether any corporate email addresses appear in the breach and force immediate password resets.
- Enforce multi‑factor authentication for all accounts tied to the service.
- Review contractual security clauses with the vendor and consider adding data‑handling safeguards for sensitive content.
- Add the breach to your third‑party risk register and monitor for credential‑reuse attacks.
Technical Notes — Attack vector not disclosed; likely a misconfiguration or insider leak. No CVEs reported. Exfiltrated data includes email addresses, Discord/X usernames, user prompts, and URLs to AI‑generated images. Source: Have I Been Pwned – My Lovely AI breach