Popular Keyboard App with Tens of Millions of Downloads Leaks Data of Its 31 Million Users
The personal data of 31,293,959 users of a popular virtual keyboard app, ai.type, has leaked online due to a misconfigured MongoDB database. Security researchers have reported that the co-founder of ai.type, Eitan Fitusi, failed to secure the database's server and it took several attempts to contact him before the data was secured. The keyboard app claims to have over 40 million downloads on Google's Play Store.
"The misconfigured MongoDB database appears to belong to Ai.Type a Tel Aviv-based startup that designs and develops a personalized keyboard for mobile phones and tablets for both Android and iOS devices," Kromtech Security Center said.
Hoards and hoards of personal data remained exposed online
While it may have tens of millions of users all over the world, the app's developers failed to protect the database with a password, enabling anyone to access this database that is over 577 GB heavy. Some of the personal user data included:
- User's full name
- Email address
- Phone number
- Duration the app remained installed on their device
- Device's IMSI and IMEI number
- Phone make and model
- Android version
- User's precise location (long/lat)
- Links and the information associated with the social media profiles (birthdate, title, emails etc.) and photo (links to Google+, Facebook etc.)
- IP (if available)
Kromtech added that over 6 million records also contained data from users' contact books, "in total more than 373 million records scraped from registered users’ phones, which include all their contacts saved/synced on linked Google account". If that wasn't enough data for the keyboard to mine, security researchers added that "there was a range of other statistics" including the most popular users’ Google queries for different regions.
"It is clear that data is valuable and everyone wants access to it for different reasons," Alex Kernishniuk, VP of strategic alliances at Kromtech, said. "Some want to sell the data they collect, others use it for targeted marketing, predictive artificial intelligence, and cyber criminals want to use it to make money in more and more creative ways."
This is once again a wakeup call for any company that gathers and stores data on their customers to protect, secure, and audit their data privacy practices.
It shouldn't come as a shock to anyone since keyboard apps usually come with a warning that they may be able to collect "everything" you type. Security researchers have continued to warn that these apps could also steal your passwords despite their assurances. ai.type is no innocent in this game of data collection. While it promises to keep the content "encrypted and private", the company failed to even secure the database.
For now, the database has been secured and hopefully we will see fewer of these "incidents" after the release of MongoDB 3.6 that makes it impossible for sloppy businesses to accidentally connect a database to the internet without login protections. But, that doesn't mean they will stop collecting your data. At this point, Kromtech warns that anyone who had ever downloaded and installed ai.type keyboard should consider their data out in the open. "This presents a real danger for cyber criminals who could commit fraud or scams using such detailed information about the user," Bob Diachenko of the Kromtech Security Center said.
"It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices."