I Scanned 1 Million AI Services. Here's What Worries Me More Than the Vulnerabilities

Your error rate just spiked 40%. Three weeks of debugging, two engineers on call rotation, and the coffee is cold. The terminal is still red.

You're staring at a log that shows your AI service has been leaking embeddings to unauthorized requests for two weeks.

Two weeks.

This is what one security researcher found when they systematically scanned a million production AI services and assessed their security posture. The results weren't "some services had issues." They were: almost no one did authentication right. Almost no one had rate limiting. Almost no one encrypted their training data in transit.

悲報 (Hōhō): Literally "bad news" — in Japanese tech circles, a dramatic framing for concerning technical findings. The post that sparked this article used this headline style specifically because the findings were too significant to bury in neutral language.