A popular virtual keyboard leaked the personal data of 31 million users

Popular Keyboard App with Tens of Millions of Downloads Leaks Data of Its 31 Million Users

Millions caught in virtual keyboard app data breach

Virtual keyboard app developer Ai.Type accidentally exposed the personal data of 31 million users, including their phone contacts, according to security researchers.

ZDNet's report found, however, that the company had collected more than 8.6 million text entries collected from the keyboard, including phone numbers, web search terms, and concatenated emails and passwords. The company claims its app has been downloaded more than 40 million times, with additional keyboards that support over 40 languages from Farsi to Slovenian.

In an email, Ai.Type's CEO Eitan Fitusi said the exposed database is now secure, and it only contained "basic data", like keyboard use patterns and ad monitoring.

In the course of an weeks-long investigation, Kromtech Security Center discovered that a misconfigured MongoDB database allowed them to access data from almost 31 million users.

Security researchers say the AI.type app's developer failed to secure the database server containing everything from user's names to their locations. It also contained seemingly useless information such as each user's IMSI and IMEI device number - which are unique numbers to identify a phone on the global network and one to identify it on a particular network - alongside make and model information, screen resolution and even the version of Android it's running. Each record also included a user's precise location, including their city and country.

ZDNet obtained a portion of the database to verify.

Swiss National Bank Has $861.02 Million Holdings in General Electric Company (GE)
It turned negative, as 82 investors sold OXY shares while 326 reduced holdings. 35 funds opened positions while 110 raised stakes. BidaskClub upgraded Portland General Electric from a "hold" rating to a "buy" rating in a report on Wednesday, August 23rd.

For reasons now unclear, some of the leaked information is reported to also include details linked to Google profiles, such as birth dates, genders, and profile pictures.

The data was only secured after the firm made several attempts to contact Fitusi, who acknowledged the security lapse this weekend. At this point, Kromtech warns that anyone who had ever downloaded and installed ai.type keyboard should consider their data out in the open. Users that opted for the free version of AI.type agreed to have more of their data collected such as their smartphone's make and model, IMEI number and Android version in the app's privacy policy which the company then used for monetisation.

"The misconfigured MongoDB database appears to belong to Ai.Type a Tel Aviv-based startup that designs and develops a personalized keyboard for mobile phones and tablets for both Android and iOS devices", Kromtech Security Center said. ZDNet said it also uncovered the contact details from user's address books. Any text entered on the keyboard "stays encrypted and private", says the company. "This presents a real danger for cyber criminals who could commit fraud or scams using such detailed information about the user", Bob Diachenko of the Kromtech Security Center said.

"It is clear that data is valuable and everyone wants access to it for different reasons", he said. However, he outlined that most of the data was insensitive.

"It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices".

Latest News