Study: 1 Million AI Servers Exposed Online in 2026

Summary

A research team from the security vendor Intruder has scanned more than 2 million hosts and 1 million AI services on the open internet. The findings are alarming: a large share of self-hosted AI infrastructure runs without passwords, without authentication and without basic security. Employee chat logs, internal business logic, API keys and entire agent platforms sit exposed. For European companies this is critical - every such incident can become a GDPR case with heavy fines. Anyone running their own AI tools should check now whether their servers are truly not reachable from the public internet.

Introduction 

More than one million AI services are sitting unprotected on the open internet - many of them without any login at all. That is the result of a new investigation by the security vendor Intruder, published in early May 2026. Using public certificate transparency logs, the researchers identified around 2 million hosts and concluded that the security of self-hosted AI infrastructure is worse than any other software category they have ever examined. For European businesses and public bodies, this is a serious wake-up call.

Background: AI tools are deployed faster than they are secured

providers. They prefer to run their own language models, their own chatbots and their own agent platforms to keep data in-house. That is a sensible approach - as long as those servers are properly secured. And here lies the problem.
The researchers found openly accessible chatbots that exposed complete LLM conversation histories of real users. In corporate environments such histories can contain highly sensitive information: customer names, internal strategies, source code or HR matters. In another case, API keys were visible in plain text. Anyone copying these keys can run commercial AI models at the expense of the affected company.
Particularly worrying: on platforms like Flowise and n8n, complete agent workflows were exposed. In more than 90 cases, this affected sectors such as government, marketing and finance. Attackers could modify workflows, reroute data streams or inject fake responses - without anyone noticing. With Ollama, a popular tool for running language models locally, one in three queried servers answered without any authentication at all. Some of these instances were even wrapped around expensive commercial models from Anthropic, Google or OpenAI - paid for by unsuspecting operators.
The root cause is usually mundane: in many AI projects, login protection is simply not enabled by default. Anyone following the standard installation guide ends up in a high-privilege account without warning. On top of that come hardcoded passwords, badly configured Docker containers and applications running with full system rights.

Impact on Europe: GDPR risk and beyond

For companies inside the EU, the situation is doubly tricky. Anyone losing personal data through an open AI system - for example customer chats or internal emails - has a notifiable data breach under GDPR. Fines can reach up to four percent of global annual turnover. The NIS-2 directive and the Digital Operational Resilience Act (DORA) for financial firms also explicitly require IT systems to be adequately secured. An open AI platform clearly violates both.
There is also a practical issue. Many European mid-sized businesses are currently experimenting with their own AI solutions, often run by small IT teams. These teams know traditional server security well, but AI tools are new. They often lack experience in what an installation makes secure by default - and what it does not. It is precisely in this gap that the incidents documented by Intruder occur on a large scale.

Practical tips to protect yourself

Anyone running AI tools in a company should check a few things. First: never expose an AI server directly to the internet without login requirements and a firewall. Second: never leave API keys inside config files - move them into a proper secret vault. Third: change default passwords immediately after installation. Fourth: make AI platforms like n8n or Flowise reachable only through VPN or internal networks. Fifth: regularly run an external scan to see what your organisation looks like from the public internet.

Conclusion

The wave of AI enthusiasm comes with a shadow - and that shadow is security. The study makes one thing clear: right now speed is winning, and security is lagging behind. For Europe, with its strict data protection rules and tightly regulated critical infrastructure, this is a wake-up call. Companies, public authorities and smaller organisations should review their AI systems this week. Otherwise the productivity gain from artificial intelligence quickly turns into a data protection case with very expensive consequences.
The Hacker News - We Scanned 1 Million Exposed AI Services. Here's How Bad the Security Actually Is, 5. Mai 2026
Intruder Research Blog - intruder.io
European Data Protection Board - edpb.europa.eu (DSGVO-Bußgelder und Meldepflichten)
ENISA - European Union Agency for Cybersecurity, Hinweise zur Absicherung von KI-Systemen
NIS-2-Richtlinie und DORA-Verordnung der Europäischen Union
Created with