Since Rabbit debuted its r1 in April 2024, the startup has been hoping to make its device a phone-less way to let artificial intelligence (AI) handle tasks for you throughout the day.

Now, Rabbit has revealed that the r1 has been logging user chats on the device with no way to erase them. This means that if you lost your r1, someone stole it, or you sold it, your chat logs could have potentially been visible to someone else. Users hadn't been made aware that any conversations with the device were being logged.

In a security advisory explaining the issue, the startup said that on July 10, "we became aware of and immediately resolved a potential risk involving lost, stolen, or second-hand r1 devices."

Rabbit also revealed that stored pairing data on the device, which is used to write data to rabbitjournal and trigger actions like "order an Uber" or "play music," could also read data from the rabbitjournal. This issue meant that someone else could take your r1 and see log files with saved requests, photos, and more.

Rabbit has done several things in response. First, a factory reset option is now available in the settings menu that lets you erase all data from the r1. Second, the device now stores less data. Finally, it's no longer possible to read pairing data from rabbithole -- it can only trigger actions.

The startup said it had "no indication that pairing data has been abused to retrieve rabbithole journal data belonging to a former device owner," and was sharing this vulnerability in the name of transparency and performing "a full review of device logging practices." 

If you have an r1, you don't need to do anything. A software update fixing these issues will download and install automatically.