A recent investigation has revealed that millions of pieces of sensitive user data were exposed—not due to a sophisticated cyberattack, but because of inadequate security measures. The findings, published by ExpressVPN and led by cybersecurity researcher Jeremiah Fowler, demonstrate how easily personal information can be compromised when essential protections like encryption and password security are overlooked.

The report uncovered a major data exposure involving AI-powered chatbots used by retailers for customer service. These systems, designed to streamline interactions, were found to be storing vast amounts of customer data without proper safeguards.

While many users rely on VPN services to protect their online privacy through strong encryption, such tools cannot prevent data leaks caused by negligence on the part of companies or third-party providers handling user information.

 

Fowler identified three publicly accessible databases that lacked both password protection and encryption. Together, these databases contained approximately 3.7 million records, including highly sensitive personal details such as email addresses, home addresses, and phone numbers.

Even a small sample of the exposed data highlighted the scale of the issue. It included 1,422,577 customer audio recordings, 3.9TB of text transcripts, 207,381 Excel files, and 415.2GB of audio data.

The sampled data was linked to Sears Home Services, a US-based retail and repair company that uses AI chatbots in English and Spanish to manage scheduling, phone calls, and online customer interactions. Among the files were 54,359 complete chatbot conversation transcripts along with corresponding audio recordings.

Fowler also noted a concerning flaw in the system: audio recordings continued even if a customer failed to properly end a call. As a result, some recordings captured up to four hours of background audio, potentially including sensitive conversations and biometric voice data.

To illustrate the severity of the issue, Fowler shared screenshots showing how easily the data could be accessed, including interfaces that allowed users to browse files and play audio recordings directly in a web browser.

Although Fowler confirmed that access to the exposed databases was restricted shortly after he reported the issue to Transformco, the parent company of Sears Home Services, he emphasized ongoing concerns about data security practices.

The investigation underscores the growing risks associated with AI-driven systems that store large volumes of sensitive information. With projections suggesting that deepfake-enabled fraud losses could reach $40 billion by 2027, such data exposures could have serious consequences.

Stolen data of this scale could allow cybercriminals to piece together identities or create convincing digital replicas for fraudulent activities. In these scenarios, even advanced privacy tools like VPNs offer little protection if the breach originates from trusted services themselves.

ExpressVPN advises users to remain cautious by adopting strong passwords and exercising care when sharing sensitive information. Users should also be wary of unsolicited communications—such as emails, texts, or calls—that reference personal details.

Additionally, to guard against voice cloning scams, it is recommended to establish a verification password with trusted contacts, especially for situations involving urgent financial or personal requests.