Sears Exposed AI Chatbot Phone Calls and Text Chats to Anyone on the Web

Security researcher Jeremiah Fowler with Black Hills Information Security uncovered a massive data exposure at Sears Home Services, the appliance repair division of the historic retailer. Fowler found three databases, publicly accessible without password protection or encryption, containing 3.7 million chat logs and 1.4 million audio files from 2024 to the present. The logs were from interactions with 'Samantha,' an AI virtual voice agent powered by technology called kAIros. The exposed data included highly sensitive customer information: full names, phone numbers, home addresses, details of owned appliances, and specifics about delivery and repair appointments.

Beyond the text logs, the exposure included 1.4 million audio files and their text transcripts. Alarmingly, many recordings captured hours of ambient audio after customers believed their calls had ended, with some files lasting up to four hours. Fowler noted these recordings captured private conversations, television audio, and household sounds. This data trove presents a severe risk for highly targeted phishing and warranty scams. After Fowler notified Transformco, Sears' parent company, in early February, the databases were secured. However, it remains unknown how long they were exposed or if others accessed the data, as Transformco did not respond to requests for comment.