31 Million User’s personal data Leaked by a virtual Keyboard app.

0 7

Nowadays consumers give up more data than ever before in exchange for using services or applications. But, giving up data for personalized services and apps may be scarier from now because the app may leak your data too as this incident below is the best example to think twice before you give any personalised data to an app.

Recently a team of security researchers at Kromtech Security Center has discovered a massive amount of customer files leaked online and publically available. They were able to access the data and details of 31,293,959 users belonging to popular virtual keyboard app, AI.type.

Ai.Type is a Tel Aviv-based startup that designs and develops a personalized keyboard for mobile phones and tablets for both Android and iOS devices. It was founded in 2010 and According to their site, their flagship product for Android was downloaded about 40 million times from the Google Play store and the numbers of downloads and user bases are rapidly growing.

When Kromtech researchers installed Ai.Type they were shocked to discover that users must allow “Full Access” to all of their data stored on the testing iPhone, including all keyboard data past and present. It raises the question of why would a keyboard and emoji application need to gather the entire data of the user’s phone or tablet? Based on the leaked database they appear to collect everything from contacts to keystrokes. This is a shocking amount of information on their users who assume they are getting a simple keyboard application. 

Kromtech’s Chief Communication Officer Bob Diachenko said “Ai.Type accidentally exposed their entire 577GB Mongo-hosted database to everyone with an internet connection. This also exposed just how much data they access and how they obtain a treasure trove of data that average users do not expect to be extracted or data mined from their phone or tablet.”

MongoDB is a common platform used by many well known companies and organizations to store data, but a simple misconfiguration could allow the database to be easily exposed online. One flaw is that the default settings of a MongoDB database would allow anyone with an internet connection to browse the databases, download them, or even worst case scenario to even delete the data stored on them.

The largest personal data leak has highly sensitive and identifiable information of 31,293,959 users who installed ai.type virtual keyboard includes:

  • Phone number
  • Full name of the owner
  • Device name and model
  • Mobile network name
  • SMS number
  • screen resolution
  • User languages enabled
  • Android version
  • IMSI number (international mobile subscriber identity used for interconnection)
  • IMEI number (a unique number given to every single mobile phone)
  • Emails associated with the phone
  • Country of residence
  • Links and the information associated with the social media profiles (birthdate, title, emails etc.)
  • Photo (links to Google+, Facebook etc.), IP (if available), location details (long/lat).

6,435,813 records that contained data collected from users’ contact books, including names (as entered originally) and phone numbers, in total more than 373 million records scraped from registered users’ phones, which include all their contacts saved/synced on linked Google account.

Bob Diachenko, head of communications at Kromtech Security Center raised the question if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices.

As theoretically, it is logical that anyone who has downloaded and installed the Ai.Type virtual keyboard on their phone has had their entire phone data exposed publicly online. This presents a real danger for cyber criminals who could commit fraud or scams using such detailed information about the user.













Jahnavi M

Vulnerability analyst, Technical Writer, Security Blogger, Co-founder—SecKurity

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: