GenNomis exposes images, site goes dark

Security researcher Jeremiah Fowler discovered an exposed, unprotected Amazon S3 bucket tied to the South Korea- based site GenNomis, according to reporting by The Register. The Register reports the cache contained 93,485 image files and associated JSON prompt logs, while WIRED reports the exposed dataset comprised more than 95,000 records and roughly 45 GB of mostly AI-generated images. Both outlets say the files include explicit imagery, with reporting noting some images that appear to show child sexual abuse material and celebrity faces de-aged to look like minors (The Register; WIRED). WIRED reports that hours after the outlet contacted GenNomis and parent company AI-Nomis, the companies' websites were taken offline or began returning 404 errors.

The exposed assets included image files and JSON records that logged user prompts and direct links to generated images, according to The Register and WIRED. The Register describes the storage as an unsecured S3-style bucket with no password protection or encryption, and WIRED confirms the bucket contained both media and prompt metadata. Jeremiah Fowler is the named researcher quoted in both outlets describing the content and the discovery process.

Misconfigurations of object storage such as unsecured Amazon S3 buckets remain a common and consequential operational failure in data and ML systems. Publicly accessible media caches that also store prompt metadata multiply the privacy and abuse surface by linking user inputs to generated outputs, which complicates incident response, takedown, and forensic review for teams operating generative services.

Industry reporting frames this incident as part of a broader pattern in which generative-image tools are used to create nonconsensual and abusive content, amplifying existing moderation and legal challenges (WIRED). For platforms and practitioners, the combination of high-volume media storage, prompt logs, and weak storage controls represents both compliance exposure and a reputational risk vector; public reporting of explicit or illegal content elevates the urgency of robust data governance.

Review of object-storage ACLs and default bucket policies, separation of prompt telemetry from raw media, and strict access controls on generated-content caches are observable, actionable indicators for teams operating generative-image systems. Industry observers and legal stakeholders will likely track whether platform takedown and disclosure practices evolve in response to incidents that surface possible child sexual abuse material in AI outputs. Organizations that publicly log or archive generated content should also evaluate retention policies and encryption-at-rest as part of routine threat modeling.

"The big thing is just how dangerous this is," Jeremiah Fowler said in an interview with WIRED describing the exposure. The Register published example prompts Fowler shared, redacted for content, to illustrate the nature of user inputs found in the bucket.

This briefing synthesizes reporting from WIRED and The Register and references an incident database summary that compiles those reports.