31 million users' personal data exposed due to MongoDB cloud configuration error

Popular Keyboard App with Tens of Millions of Downloads Leaks Data of Its 31 Million Users

Should You Change Your Password? AI.Type Keyboard App Leaks Personal Information

Strangely, the data breach applies only to Android users of AI.type keyboards, not iOS users.

Ai.type's founder Eitan Fitusi told The Register that the MongoDB database had been secured once Kromtech had reported the issue and that the archive only contained around half of the firm's database information.

The records themselves contain each user's full name, email address, how long they have had the app installed as well as precise details on their exact geographical location.

Security researchers at the Kromtech Security Center the server wasn't protected with a password, allowing anyone to access the company's database of user records, totaling more than 577 gigabytes of sensitive data from 31,293,959 users. On the other hand, you also have a developer that has collected far more user data than it needs and in a way that violated its own policies.

With 31 million Android users exposed, and the potential for more to be at risk on iOS, you have to sit back and wonder if it's really worth moving away from a secure OS-specific keyboard to a third-party app.

AI.type says on its website that user's privacy 'is our main concern'. This data is then monetised through advertising, but it was also stored on the insecure server, linked to individual users.

"Theoretically, it is logical that anyone who has downloaded and installed the Ai.Type virtual keyboard on their phone has had all of their phone data exposed publicly online", said Bob Diachenko, head of communications at the Kromtech Security Center.

For users who are anxious they may have typed a password or other sensitive information while using the app, there is little recourse as it's impossible to know for sure if that data was recorded and exposed.

More complete records also include the device's IMSI and IMEI number, the device's make and model, its screen resolution, and the device's specific Android version.

Among the compromised data are dates of birth, email addresses, passwords and information from their Google accounts, as well as all the actual text typed using the keyboard.

"Based on the leaked database they appear to collect everything from contacts to keystrokes".

The database also housed each person's phone number and the name of their mobile carrier.

"MongoDB is a common platform used by many well-known companies and organisations to store data, but a simple misconfiguration could allow the database to be easily exposed online". "Some want to sell the data they collect, others use it for targeted marketing, predictive artificial intelligence, and cyber criminals want to use it to make money in more and more creative ways".

Kromtech'sVP of strategic alliances Alex Kernishniuk said: "It is clear that data is valuable and everyone wants access to it for different reasons". Security researchers have continued to warn that these apps could also steal your passwords despite their assurances.ai.type is no innocent in this game of data collection.

Latest News