Keyboard app caught collecting users data after 31M records leaked online

It’s just another day with just another breach exposing personal details of unsuspecting users. This time, it’s an immensely popular virtual keyboard app called AI.Type whose developers have exposed personal details of over 31 million users.

The database was discovered by security researchers at the Kromtech Security Center who detailed that in total 577 GB of data containing details of 31,293,959 users was left exposed as a result of a misconfigured MongoDB database.

The database accessed by researcher included sensitive details of users such as: Full name, phone number, device name, model number, screen resolution, SMS number, mobile network name, Android version, user languages enabled, IMSI number, IMEI number, country of residence, email address, links and the information associated with the social media profiles including photo and in some cases IP addresses.

The company behind developing AI.Type is based in Tel Aviv, Israel who claim to have over 40 million users worldwide. However, after the incident, Kromtech researchers question the reason for a keyboard app to collect personal and unrelated data that his nothing to do with the way a keyboard app functions.

“When researchers installed Ai.Type they were shocked to discover that users must allow ‘Full Access’ to all of their data stored on the testing iPhone, including all keyboard data past and present,” said researchers.

Keyboard app caught collecting users data after 31M records exposed online

Moreover, the saga of collecting users personal data doesn’t end here. Researchers also found a trove of 373 million “Phonebook and Contact Records” within the database which highlights the fact that the company has been collecting user data without their consent on knowledge. For instance, the “Permissions” section of the AI.Type’s Emoji Keyboard app on Play Store claims to access limited data, but Kromtech researchers wonder why an Emoji app “needs to gather the entire data of the user’s phone or tablet.”

Researchers believe that these apps “appear to collect everything from contacts to keystrokes.”

“There was a range of other statistics like the most popular users’ Google queries for different regions. Data like average messages per day, words per message, the age of users, words_per_day’: 0.0, ‘word_per_session and a detailed look at their customers,” researchers noted.

Keyboard app caught collecting users data after 31M records exposed online

According to Alex Kernishniuk, VP of strategic alliances, Kromtech:”It is clear that data is valuable and everyone wants access to it for different reasons. Some want to sell the data they collect; others use it for targeted marketing, predictive artificial intelligence, and cybercriminals want to use it to make money in more and more creative ways. This is once again a wakeup call for any company that gathers and stores data on their customers to protect, secure, and audit their data privacy practices.”

A couple of days ago, Google announced cracking down on apps who misinform users over data collection and it seems like AI.Type has some serious explaining to do. This, however, is not the first time when AI.Type is in the news for all the wrong reasons. Previously, a bug was found in the company’s keyboard apps on iOS that opened all premium features for free.

Source: Kromtech Security / Data harvesting illustration: Ann k, It Begins now

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.