If You Played AI Dungeon Back in April Your Data Was Probably Compromised

If You Played AI Dungeon Back in April Your Data Was Probably Compromised
The World of Procavia (Image: Latitude)

The developer behind AI Dungeon this week shared info on a breach that occurred nearly six months ago. But don’t be too alarmed, everyone involved says no passwords were breached.

AI Dungeon is a free-to-play single-player and multiplayer text adventure game which uses artificial intelligence to generate content. It’s actually pretty fun. Strange, but fun.

In a memo, Latitude (the developer) says in April 2021 it became aware of a vulnerability in the AI Dungeon API after the person who accessed its systems shared their findings.

They claimed to have accessed the AI Dungeon systems between April 15th and April 19th, 2021 as part of what they said was a proof of concept, before disclosing the vulnerability and claiming to delete the data.

Nearly six months later, the company decided to acknowledge the incident.

“After learning about this issue, we undertook an extensive review of the data to understand how information was involved to which users it related,” they said, answering why it took so long to make this info public.

“We also worked with outside data specialists to assess the incident and data involved to determine next steps. Based on these efforts, we are providing you, our community, with more information about what we have learned.”

I Played AI Dungeon, So What Does This Mean?

The vulnerability was immediately fixed, Latitude says. And only the individual behind the incident used the vulnerability to access data.

The AI Dungeon maker said it disabled introspection to its GraphQL API, disabled vulnerable endpoints, expanded the scope of its automated testing suite, undertook a sweeping security audit of its entire system and kicked off an external security assessment.

But the individual responsible tells a different tale.

“On April 18th, I discovered a vulnerability in the AI Dungeon GraphQL API that allowed unpublished adventures, unpublished scenarios, and unpublished posts to be leaked. These resources could be read in bulk, at a rate of approximately 1000 requests per minute,” they wrote on GitHub.

“Unfortunately, this is, in fact, the second time I have discovered this exact vulnerability. The first time, the issue was reported and fixed, but after finding it again, I can see that simply reporting the issue was a mistake.

“Rather, I am using this report as leverage. By making not only the devs, but the users aware of these critical issues, it will hopefully incentivise the AI Dungeon team to ensure that vulnerabilities like these never see the light of day.”

What Was Accessed In The Breach?

The individual obtained user content from some users’ adventures, scenarios, posts and comments, including those which were not published. It also contained the associated usernames.

In addition, the individual accessed dates and times of creation, most recent update and publication; whether the NSFW flag was set; tags and total upvotes; descriptions, internal identifiers and titles for scenarios; and adventure titles, multiplayer invite codes, and player count.

The AI Dungeon maker says no passwords or emails were obtained. And the security researcher behind the findings backs this claim up.

How Do I Know If I’m Affected?

If your data was included in the incident, you should receive an email within the next 24 hours from Latitude. The support team is accessible at [email protected].

While no passwords were compromised, it’s a good opportunity for some personal ‘password hygiene’.