Cutout offers users the ability to modify photos or produce images using an AI-based Application Programming Interface (API), which can be integrated into third-party applications. The research team informed that “the exposed instance also had around 22 million log entries referencing usernames, including individual users and business accounts. However, this does not imply that an equal number of users was exposed, as some log entries were duplicates.” “Cutout.pro self-reported having over 300 million API requests, peaking at 4,000 requests per second from over 5,000 applications and websites used worldwide. Cutout.pro boasts of working with over 25k businesses,” they added. The data of some applications that employed Cutout.pro’s API were also compromised. The team identified that user accounts from the Vivid App and AYAYA App, both of which were listed as customers on Cutout’s website, were among those included in the public database. The data breach that led to the exposure of user data may compromise their privacy, as hackers could have obtained access to media uploaded by Cutout’s customers for AI-based editing, including personal photos meant for private use. Cybernews researchers said, “if Cutout.pro’s developers previously didn’t back up the data, the open instance could have led not only to the temporary denial of service but a permanent data loss that was stored on the open instance. Attackers could have wiped it out.” Business clients who utilized Cutout.pro’s API are encouraged to inspect the endpoints that were linked with the service. Similarly, users are advised to update their platform usernames as a precautionary measure.
