A significant data breach involving personal information from hundreds of Canva Creators program participants, exposed through an unsecured AI chatbot database operated by a Russian company.
The incident highlights emerging security vulnerabilities in the rapidly expanding artificial intelligence supply chain.
My Jedai AI Database Exposed
UpGuard, a cybersecurity research firm, discovered an exposed Chroma database belonging to My Jedai, a Russian AI chatbot development company.
The unsecured database contained 341 collections of documents, ranging in size from 161 bytes to 104 megabytes, with most content appearing in Cyrillic characters that required translation from Russian to English.
Chroma is a specialized document embedding database designed to provide AI chatbots with specific information for generating contextual responses to user queries.
The technology allows developers to augment large language models (LLMs) with custom document stores, enabling chatbots to provide targeted answers based on uploaded content.
However, like any database technology, Chroma requires proper security configuration, including authentication mechanisms and restricted internet access to prevent unauthorized exposure.
My Jedai, founded by Andrey Vlasof, operates as a Russian microenterprise that enables customers to create AI-powered chatbots without technical expertise.
The company’s business model allows users to upload documents or link to web content, which then becomes part of their chatbot’s knowledge base.
UpGuard notified My Jedai of the exposure on May 1, 2025, and the company secured the database within 24 hours.
571 Creators’ Personal Information Leaked
Among the diverse collections in the database, researchers discovered one particularly concerning dataset containing survey responses from 571 participants in the Canva Creators program.
The exposed data included email addresses, countries of residence, and comprehensive responses to 51 questions about their experiences with Canva’s creator platform.
The survey data, appearing to be from May 2024, contained detailed information about creators’ professional backgrounds, company sizes, satisfaction ratings for various program components, and specific feedback about royalties, community engagement, and product features.
Respondents represented multiple countries, including Brazil, France, Germany, India, Indonesia, Italy, Japan, the Netherlands, South Korea, Spain, Thailand, and Turkey.
This exposure creates dual risks: for creators, the combination of email addresses with detailed professional and financial information provides a ready-made phishing toolkit, while for Canva, the data reveals competitive intelligence about program strengths and weaknesses along with creator contact information.
The firm validated the authenticity of the data by cross-referencing email addresses with publicly available information about the creators.
This incident represents the first reported data leak involving a Chroma database and illustrates how AI adoption has created new vectors for data exposure.
As a result of the AI boom, new technologies like Chroma have been developed more quickly, which has led to a cycle in which security expertise has not yet reached maturity.
This provides an environment in which independent entrepreneurs can quickly deploy database-to-API products, multiplying possible failure points in the data supply chain.
Looking for AI-Powered Nex-Gen malware protection? – Download Malware Protection Plus for Free
