Ai.Type data leak: 31 million users' personal data exposed due to MongoDB cloud configuration error
"Based on the leaked database they appear to collect everything from contacts to keystrokes," researchers said.
Popular virtual keyboard app Ai.Type accidentally exposed highly personal and sensitive data of more than 31 million customers on an unsecured MongoDB database online. Cybersecurity firm Kromtech Security Center discovered that a 577MB Mongo-hosted database containing the details of 31,293,959 users was exposed to anyone with an internet connection.
The exposed records included highly sensitive and identifiable information of millions of users such as owners' names, phone numbers, device names and model, mobile networks, Android version, IMSI and IMEI numbers, user languages enabled, country of residence data linked with social media accounts, location details and in some cases IP addresses.
More than six million records contained data collected from users' contact books including names, phone numbers and contacts saved or linked to Google account, researchers found. Other statistics listed included the most popular user queries on Google for different regions.
Specific details on users' messaging habits including average messages per day, words per message and more were also discovered by researchers.
Researchers, who installed Ai.Type, were shocked to find out that users must allow "Full Access" to all of their data stored on their testing iPhone, including past and present keyboard data.
"Based on the leaked database they appear to collect everything from contacts to keystrokes. This is a shocking amount of information on their users who assume they are getting a simple keyboard application," Kromtech wrote in a blog post published Tuesday (5 December). "This also exposed just how much data they access and how they obtain a treasure trove of data that average users do not expect to be extracted or data mined from their phone or tablet.
"MongoDB is a common platform used by many well-known companies and organisations to store data, but a simple misconfiguration could allow the database to be easily exposed online."
Any person with an internet connection could then potentially access, download or even delete the data stored on a misconfigured, leaky database.
Based in Tel Aviv, Israel, the company behind Ai.Type claims to have over 40 million users worldwide and offers both an Android and iOS version of its app.
However, experts raised serious questions about why a virtual keyboard app would need to collect such detailed and personal information that has nothing to do with its functionality.
"Theoretically, it is logical that anyone who has downloaded and installed the Ai.Type virtual keyboard on their phone has had all of their phone data exposed publicly online," Bob Diachenko, head of communications at Kromtech Security Center, said. "This presents a real danger to cybercriminals who could commit fraud or scams using such detailed information about the user.
"It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices."
IBTimes UK has reached out to Ai.Type for comment.
Kromtech'sVP of strategic alliances Alex Kernishniuk said: "It is clear that data is valuable and everyone wants access to it for different reasons. Some want to sell the data they collect, others use it for targeted marketing, predictive artificial intelligence, and cybercriminals want to use it to make money in more and more creative ways."