Virtual keyboard app developer Ai.Type accidentally exposed the personal data of 31 million users, including their phone contacts, according to security researchers.
The files were stored in a MongoDB database that was configured so that anyone online could access it. Researchers at Kromtech Security Center discovered the problem and notified Ai.Type last month.
In an email, Ai.Type’s CEO Eitan Fitusi said the exposed database is now secure, and it only contained “basic data,” like keyboard use patterns and ad monitoring.
According to Kromtech, though, the client registration files for the 31 million users also contained the device name, the IMEI number, location details based on IP address, and links to the social media profile associated with the smartphone. Ai.Type was also collecting data from user’s contact lists, according to the researchers. In total, the database had 373 million phone numbers stored inside.
However, Fitusi said the app is not snooping on users. The 577GB worth of files stored in the database is statistical information the app pulls from customers to help the virtual keyboard’s AI-powered prediction engine to run, he said.
Ai.Type uses the contact information to predict contact names, numbers, and emails. “We have a call or send mail buttons on the keyboard…so you can send the number or call the person in one click,” he said. About 10 percent of that data is sent to the server for prediction purposes, but it’s not shared with any third party.
Kromtech said it found no signs that malicious actors ever accessed the exposed files, but hackers have been on the hunt for vulnerable MongoDB databases, wiping them, and demanding a ransom.
Ai.Type, which is based in Israel, has over 60 million users, and offers an Android and iOS version of its keyboard. Android users who install the free version of the app might be scared away by an alert that says the keyboard may collect “all the text you type,” including passwords and credit card numbers. But Fitusi said this warning is issued by the Android OS, not the app itself, and will appear for any alternative input method you try to install.
“We are not collectingstoringsending any password or credit card information,” Fitusi added. When the keyboard does collect statistical data about keyboard strokes, it is not tied to any identifiable user information, he said.
Kromtech said it didn’t find any keystroke data, passwords, or credit card information in the exposed database. But it was still alarmed that the keyboard app was collecting customers’ phone contact list data.
“It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products,” the company said in its blog post.