GenNomis exposes images, site goes dark
Security researcher Jeremiah Fowler discovered an exposed, unprotected Amazon S3 bucket tied to South Korea-based site GenNomis containing roughly 93,485 to over 95,000 image and metadata records, according to reporting by The Register and WIRED. The exposed files included JSON prompt logs and tens of gigabytes of AI-generated images, and both outlets reported that some images appeared to depict child sexual abuse material and celebrity faces de-aged to look like minors. WIRED reported that hours after it contacted the companies, the GenNomis and AI-Nomis websites were taken offline or began returning 404 errors. "The big thing is just how dangerous this is," Fowler told WIRED. The incident is a case study in how unsecured cloud storage can compound the legal and safety risks of generative-image platforms.
For teams operating generative-image platforms, this incident illustrates how a routine cloud-storage misconfiguration can escalate into a severe legal and safety failure. Pairing an unsecured media bucket with linked prompt logs does not just expose images; it exposes a record connecting specific users to specific generated content, which multiplies both the abuse surface and the incident-response burden.
What happened
Security researcher Jeremiah Fowler discovered an exposed, unprotected Amazon S3-style bucket tied to GenNomis, a South Korea-based AI image-generation site, according to The Register and WIRED. The Register reported the cache contained 93,485 image files and associated JSON prompt logs, while WIRED reported the exposed dataset comprised more than 95,000 records and roughly 45 GB of mostly AI-generated images. Both outlets reported that some of the exposed images appeared to depict child sexual abuse material and celebrity faces de-aged to look like minors. "The big thing is just how dangerous this is," Fowler told WIRED. WIRED reported that hours after it contacted GenNomis and parent company AI-Nomis, both companies' websites were taken offline or began returning 404 errors.
Technical context
The exposed bucket had no password protection or encryption, according to The Register, and stored both media files and JSON records logging user prompts alongside direct links to the generated images, which WIRED confirmed. Linking prompt metadata to generated media in a single, unsecured location compounds the risk of any single exposure, since it connects specific inputs to specific outputs rather than leaving content unattributed.
Industry context
The incident fits a broader pattern of generative-image tools being used to create nonconsensual and abusive content, which continues to strain platform moderation and legal compliance industry-wide, according to WIRED's reporting.
For practitioners
Teams operating generative-image systems should treat this as a concrete checklist: review object-storage ACLs and default bucket policies, separate prompt telemetry from raw media storage, enforce encryption at rest, and set explicit retention limits on generated-content caches, since any one of these controls could have prevented this exposure.
What to watch
Watch for whether GenNomis or AI-Nomis face regulatory or legal action tied to the exposed content, and whether other generative-image platforms face similar disclosures as researchers continue auditing public cloud storage for AI-generated media.
Key Points
- 1An unsecured Amazon S3 bucket exposed roughly 95,000 AI-generated images and prompt logs from GenNomis, a South Korea-based image-generation site.
- 2Reporting from WIRED and The Register found some exposed images appeared to depict child sexual abuse material and de-aged celebrity faces.
- 3GenNomis and parent company AI-Nomis took their websites offline within hours of being contacted by WIRED for comment.
Scoring Rationale
A verified operational-security failure that exposed AI-generated child sexual abuse material and prompt logs via an unsecured cloud storage bucket is a severe practitioner safety-and-compliance case study; scored on severity and reporting quality alone, independent of publication date, per policy against recency penalties.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems

